Sign in to follow this  
TechnoJoe

Noticing an uptick in RDP brute forcing and ransomware injection attempts

Recommended Posts

I've noticed on some test computers that RDP brute force attempts are on the rise, and I've heard from some individuals that they were hacked and ransomware was run on their systems.  I've noticed it on a few of my test systems too, after having RDP over WAN enabled for months, it's just started in the past week to last couple days.  So, there must be new IP scan-and-hack campaigns running out there designed to look for open RDP ports.  I don't even use standard RDP ports, but there are many attempts at getting access through RDP from numerous IP addresses at a time.  The attackers must be using port scanners and trying all open ports with RDP brute force methods.

 

I wish there was some good network monitor and/or security health check option that would scan for this.  I've heard about Glasswire before, which looks fairly simple to use, but is also heavily advertised on YouTube tech videos so wondering about the quality of it (I tend to stay away from products where the company has a huge advertising budget, especially for blogs and the like).  Is it a decent program, or just over-hyped?  And can you suggest anything similar?  And something that won't conflict with Emsisoft?  I kinda wish there was there was a first-party tool from Emsi for analyzing security attack points on a system or network, especially considering that they are going hand-in-hand with ransomware and other malware injections.

Share this post


Link to post
Share on other sites
9 hours ago, TechnoJoe said:

I've heard about Glasswire before, which looks fairly simple to use, but is also heavily advertised on YouTube tech videos so wondering about the quality of it (I tend to stay away from products where the company has a huge advertising budget, especially for blogs and the like).  Is it a decent program, or just over-hyped?

GlassWire is essentially a network monitor with a flashy UI, and some really basic firewall features. It does have a reasonable number of notification options, and RDP connections are one of them. Notifications are also logged under "Alerts" in the main UI. Keep in mind of course that Windows also logs RDP connections in the Event Logs, but that any attacker who has half a brain will delete all such logs and disable any security software, so you need to prevent them from accessing the machine's RDP port altogether rather than relying on security software to protect your system from RDP compromise.

I'll paste below the steps I usually recommend for preventing RDP compromise, however note that they are intended for businesses with networks that have already suffered from RDP compromise.

 

First I recommend temporarily disabling all port rules in your firewall (closing all open ports) until you can do a full audit of your firewall configuration and determine which ports need to remain open. There are some basic recommendations below to help get you started with the port audit.

If you are managing a company network, then some form of IPS/IDS is highly recommended to monitor the network for intrusions. If you already have such a system in place, then I recommend a full audit of any rules you have configured to make sure that the device is providing adequate monitoring. It is also recommended to have someone with penetration testing experience verify that the IPS/IDS is properly alerting when there are intrusion attempts.

Also, quickly change all passwords on any workstations and/or servers that are connected to the same network as the compromised system. Also be sure to change passwords on any online accounts, as well as any routers or switches (or other devices that have network-accessible administration functions).

I recommend that every account have a different password, that passwords be no shorter than 25 characters and be made up of a random combination of uppercase letters, lowercase letters, numbers, and symbols. Obviously passwords like that are difficult (if not impossible) to remember, so a password manager may be required in order to aid in managing passwords. KeePass is probably the simplest password manager, and stores password databases locally instead of on some "cloud" server. If something capable of automatically filling in passwords (or sharing passwords between multiple devices/users) is necessary then there are reasonable passwords managers from LastPass, bitwarden, 1Password, Dashlane, etc. Note that unlike KeePass, these password managers work as extensions added to web browsers (or apps on mobile phones), and they store password databases online.

When auditing your firewall configuration and preparing to reopen ports, I recommend never opening ports globally unless absolutely necessary. I also recommend requiring anyone who needs access to sensitive services (RDP, Windows Networking, etc) to connect to the network via a VPN so that you don't have to open ports for those services in the firewall, and then only open the VPN port in the firewall for IP addresses that need access to it. If someone who needs access has a dynamic IP, then many firewalls these days support something like Single Packet Authorization or Port Knocking to dynamically open ports for unknown IP addresses.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.