Have you ever won a prize that you did not want? Perhaps your name was added to a list that you would rather not have been on. Today there is a list that every company should be aware of. Shodan is a website anyone can use to find open ports on internet connections and, unfortunately, is used with malicious intent.
Let us first back up one-step. Ports, in this case, refer to services that run across the network. When you are on the internet you start with an IP address (the address devices are given when on either an internal or external network), and this is how data is directed from point A to point B. Ports are the next layer, on top of IP addresses.
For example, say you want to pull up a Wikipedia website, so you open a browser and search for “en.wikipedia.org”. Your computer then translates that string of text into an IP address. Next, the browser will ask for Wikipedia’s data using either HTTP or HTTPS (Hypertext Transfer Protocol and the S signifies the secure version of this). HTTP and HTTPS are ports, specifically 80 and 443 in this case.
Shodan will show you things like an internet connected doorbell, a public website, or any other service hosted within a network but can be accessed remotely. The initial idea of the website was to expose how many devices were remotely accessible on the internet. It is debatable whether this was a good or bad idea, but now that it exists, we have to deal with the fallout of bad actors using this information to focus their attacks.
RDP Attack Vector
One service that has been historically used and therefore purposefully exposed on the internet is Remote Desktop Protocol (RDP), some may know this as “Terminal Services”. The intention of this service is to allow remote access to a full desktop environment. Users can open a window and act as if they are in the office. System Administrators use this method to provide remote support.
In early 2016, SWAT noticed an uptick in Remote Desktop servers (servers running RDP) being targeted for brute force attacks. These servers were having thousands of username and password combinations sent to them in an effort to gain access to the server. Unfortunately, we were looking for this traffic due to a client experiencing an attacker using RDP to access their company network.
The attack that we dealt with was the likes of which we had not seen or heard of before. After isolating the problem, cleaning up the network, and investigating logs, we found this attack to be multi-pronged and sophisticated. Recently I read an article that sounded similar to what we had seen a few years ago. This attack method is a great example of how one small opening can lead to big headaches.
What happened?
The client’s network was scanned and found to have an open port for RDP. As a result, the IP address of where this open port was discovered ended up on Shodan’s list of sites with open RDP ports. From there, we believe someone (or a group) compiled a list of IP addresses with open RDP ports. This person or group then fed this list to an automated network (a bot network) along with the scripts to brute force passwords. This bot network attempted to gain access to the various Remote Desktop servers in the list.
Networks that were not following best practices with passwords or had poor automatic-lockout policies were quickly exposed. We speculate that the “discovered” username and passwords combinations able to access the networks were bundled together and sold on the Darknet. It is also possible this information was stored away for later use by the original attacker(s).
The next attack happen several months after the open port was discovered. This was the real attack. We believe a bot was set loose with the remote attack command. At this point, the bot was in the network and able to deploy ransomware on any computer that was responding during the window of attack. It then began the scripted process of encrypting as much data as possible. It is possible the attack was more manual as the Sophos article suggests, though we believe the attacker was not as careful to cover their tracks.
Attack Analysis
Much of the company’s data and system files were encrypted. The attacker left a note behind on various servers and workstation on how to pay to unlock the files. SWAT had seen similar ransomware attacks, however, in other cases users were tricked into running the encryption software instead of the network being remotely accessed to run the attack. This meant the attacks were much more limited as they relied on the attacked user’s privileges. If the particular user had limited access, only a small number files would have been encrypted.
The big insights from this attack were two fold. One, attackers could access the network with the right account and easily take control. Two, attackers were now going after more than the common company files. This second point was driven home by the fact that the attackers locked up system files. If system files are targeted then any application could be rendered useless.
For our client one thing that prolonged the recovery process was their backup software was also attacked. While all the backups we had were safe and sound, it is rather difficult to restore them without the application. First, we had to obtain hardware for the recovery. After transferring the backed up data to the temporary hardware, we were able to start the restoration process, but even this was slow as it involved cleaning up several workstations as well as restoring the servers.
The client never had to pay the ransom to unlock their files, but it was still very costly to have down time for their entire workforce.
Preventing this kind of attack
Restricting Access
The first line of defense against this specific attack is to decide if you need Remote Desktop services as your sole remote access solution. SWAT currently advises clients to use a VPN first (either software or hardware based) before making use of RDP. VPNs provide an added layer of protection as attacking them is far more difficult.
Patch Your Computer
When was the last time you reviewed your patching policy? Is your company a SWAT Systems client? Call or email us and we can review your patching policy. Are you on your own? Then we suggest that at minimum you are receiving monthly critical security patches. Allowing Windows to update itself on its own schedule is best, however, this means paying close attention so Windows does not reboot when you have unsaved files open.
The Power of Passwords
Another reoccurring theme you will hear from me both in-person and throughout my articles, is we need to think hard about passwords. Unfortunately, most of us have bad habits when it comes to passwords. The running joke used to be to check under the keyboard for the password, but these days even that seems safer than what many people chose to do. Many reuse passwords, or use the same password in multiple places. I cannot explain how risky this is.
People also tend to think they are being clever by replacing characters. For example, replacing “e” with the number “3”, but any good dictionary attack will include common passwords with letters swapped out for their common number or symbol replacements. Using long, complex passwords is the best practice where we cannot use additional security options. If needed, use a password manager to track these passwords, or better yet, use a password manager to create them and keep track of them.
Least Privilege
Finally, the last big lesson to be learned in this is the principle of “least privilege”. This principle states that you only use the appropriate level of security to do your job. For example, if you need access to one particular folder and this folder is accessible to everyone within the network, then you should not have administrative privileges, but rather only the privilege that everyone else within the network should have (basic privileges). Permissions on a network do not stop someone from exploiting faults in the system, but do increase the difficulty of harming a network.
Parting Thought
One parting word I would have is that, yes, I have carefully read the articles I reference for this post. It is strange finding myself in disagreement with the findings of a team of people I feel are far more clever than myself. Security is difficult and many of us could be the blind individuals feeling different parts of the elephant and concluding that we are all touching a different animal. If you also read the Sophos articles, especially the one on SamSam, you will notice the attack described in there varies from my post here in several ways. At this point, I am sticking with my version as it best fits the evidence we found.
Additional Reading
- Sophos’s more recent report on SamSam
- Sophos’s older article on the more general RDP and ransomware attack
- For those interested in Shodan
