Those of you who did not go to a boys only (military especially) boarding school in the late 70’s and early 80’s, may not be familiar with some of the hilarious pranks played (or preyed) upon the younger members of the community (‘Fruits’ was amongst the collective nouns for the new arrivals at some places we could mention).
Along with the usual apple pie bed, sending the victim (Fruit) to the Tuck Shop for sky hooks, buckets of steam, Kiwi shiny circles etc., some were much more sadistic, clearly very amusing gags which in today’s world would be very much newsworthy and lead to extensive virtue signalling and probably custodial sentences, years of counselling, compensation etc..
These included being encouraged to apply Deep Heat, Vicks (‘do you know Vick Burns?’) or other forms of liniment to places where it should not be applied. Argh Deep Heat.
Regular readers of this blog may have read our piece about the perils of remote access code, especially RDP in our Argh DP missive in July.
Move on a couple of months and none other than the FBI, has issued a warning about RDP and other remote administration tools being used as the primary vector for lateral infection by serious, organised hackers, Nation State downwards.
Everything moves up the stack (especially overflow exploits) apart from poker chips. SMB as a vector continues to be successful currently with the resurgence of lateral spreading malwares such as Emotet, which uses (amongst many other techniques) a set of easily guessable passwords. If you don’t believe how straightforward this is, have a read of this. This malware doesn’t use the NSA SMB ETERNALBLUE exploit because it doesn’t have to.
We can confirm that we are seeing these attacks in operation right now. Very worryingly, they are being used to drop really nasty ransomware code such as SamSam and others having previously being used as low level, long term infiltration techniques.
The Feds have got it absolutely right. If you are not sorting these things out, you should:
VULNERABILITIES
Weak passwords – passwords using dictionary words or do not include a mixture of uppercase/lowercase letters, numbers, and special characters – are vulnerable to brute-force attacks and dictionary attacks.
- Outdated versions of RDP may use flawed CredSSP, the encryption mechanism, thus enabling a potential man-in-the-middle attack.
- Allowing unrestricted access to the default RDP port (TCP 3389).
- Allowing unlimited login attempts to a user account.
Those of you who work in an offensive or actively defensive cyber environment will be very familiar with the standard infection Modus Operandi that might precede this lateral movement.
This will be the successful infiltration of one or more devices, most likely using spear phishing, followed by a search for locally cached credentials (using tools such as mimikatz), some of which will most likely be system administrators, followed by privilege escalation using techniques such as ‘pass the hash’ or other Kerberos attacks.
If your business is ‘Red Teamed’, we bet this would be the primary vector for successful compromise. This is not a great big secret. Trouble is that this is being automated and exploited by criminals (mwahahaha).
We have assisted a number of organisations that had had RDP and other remote access solutions either connected to, or accessible from the public Internet for legitimate reasons, primarily remote management. We have also advised compromised entities about successful lateral infection via RDP.
As we discussed back in July, this situation will get worse before it gets better. Now is the time to have a look at your risk in these areas. Of course our charming and effective team would be more than happy to assist. Contact us at: [email protected] or call 020 7517 3900.
Should you be approached by vendors or resellers discussing their forthcoming partnership with non-other than Batfink heavy industries, which will be sure to give you wings of steel, complete with Machine Learning, Artificial Intelligence, BlockChain or the like, please call us.
Vicks does burn by the way, when applied to the nether regions.
