Blog / Pretty In Pink

We’ve outlined this type of attack in a Tech Update in May of this year. We identified weak passwords as the way the hacker gained complete access to a computer on the network.  We won’t go there again; I think you get the message.

However, I did want to lift the hood for a few minutes to give you an appreciation of the steps  required to properly track down the threat, eliminate the cause, investigate the root attack vector, and make recommendations to prevent it in the future.  Here is an edited version of the tech’s report:

On October 10 at 9:55am, the client had e-mailed me that she was having some strange events happening to her computer. I followed up with an immediately phone call to identify the problem further.

These issues were reported:

  • Monitor flickering black
  • Computer screen suddenly going to the login
  • A new computer username was shown as “Jeremy
As soon as I heard that a new user logged in, I took immediate action as her computer was being logged in remotely via another machine/user
Actions taken:
  • Logged into the server and logged into the firewall
  • Disabled all remote desktop connections including the client, the Accounting computer and all servers besides the primary.
  • Logged into the client’s machine, located user Jeremy, logged off and disabled the account
  • Checked administrator settings and removed the recently-added admin users and groups
  • Changed RDP access to authenticated users and added the client only
  • Changed the client’s password.
Detail of the attack:  
  • Who: Alias Jeremy
  • What: Hacker, found hacking tools, gained password access to client’s account with minimal password errors
  • When: Approximately 8:30 Oct 10,2016
  • Where: Source IP not found at this time
  • Why:
    • Tools found the hacker gained administrator authority of this computer.
    • The hacker then attempted to run scripting files that would allow the machine to work as a terminal server and allow the user to remotely log into the machine at the same time as the main user undetected.
    • Another tool was on the machine to decrypt encrypted passwords and log keystrokes.
    • This activity supports the idea that this hacker was looking to steal information to sell on the black market.

This type of attack is directly related to directed RDP vulnerabilities once the attacker knows the password. It’s possible this hacker had received information via a key logger on a machine that was used to access the RDP session. Although this is very likely, it has not been confirmed.

The antivirus (Trend Micro) denied all hacking tool attempts once the user was logged into the machine, thus stopping his attacks.
  • CRCK_PATCH – Identified as the tool for password cracking
  • HKTL_RDPPATCH – identified as the tool that enables multiple user access via RDP
  • Trojan.Win32.FSYSNA – AKA Chewbacca – Keylogger / memoryscanner. Uses Tor to access C&C servers and build a database of information.
The Cleanup process:
  • This computer was quarantined until I was able to clean out all of the found hacking tools and Trojans.
  • This computer’s security settings were also checked.
  • All infections I was able to find have been removed and the computer was then again allowed on to the network
 Future Best Practices for RDP Access from Home/Anywhere for this client:
  • Now that organization has a more sophisticated IT infrastructure, we are starting to see the importance of security when allowing directed RDP access to machines.
  • It’s important that supplied hardware is configured by the primary tech to ensure that it is configured with minimum rights. This will protect the computer and user when they are remotely accessing the network.
  • A SSL VPN tunnel is recommended to allow secure/encrypted access to the main network from the remote-controlling computer. Once connected, the user can then RDP into their directed RDP machine.
  • Antivirus such as Trend Micro will be installed to the provided machine with heavily secured settings
  • Firewall Policies will be established to secure and monitor the connections. This will eliminate any breaches to the network and will only allow specific devices to connect.
  • In the future, we can also configure and install the Watchguard Dimension VM Server. This software can be used to monitor all of organization’s security conditions and build reports for either daily, monthly or yearly events. These reports can show the condition of network security when it comes to Malware or network attacks.
It’s not as simple as it first appears, and this was a straight-forward attack and subsequent resolution. Fortunately, the client was able to identify and report the problem immediately, so damage was minor. But the message is:

IT Security and virus attacks need to be taken seriously.  They should be reported immediately and organizations need to pay attention to recommendations to mitigate future risk. It’s also a moving target – what works today may not work tomorrow.
Please contact us or your Primary Tech if you would like more information on how to protect your organization from malicious attacks.