Blog / Pretty In Pink
However, I did want to lift the hood for a few minutes to give you an appreciation of the steps required to properly track down the threat, eliminate the cause, investigate the root attack vector, and make recommendations to prevent it in the future. Here is an edited version of the tech’s report:
These issues were reported:
- Monitor flickering black
- Computer screen suddenly going to the login
- A new computer username was shown as “Jeremy“
- Logged into the server and logged into the firewall
- Disabled all remote desktop connections including the client, the Accounting computer and all servers besides the primary.
- Logged into the client’s machine, located user Jeremy, logged off and disabled the account
- Checked administrator settings and removed the recently-added admin users and groups
- Changed RDP access to authenticated users and added the client only
- Changed the client’s password.
- Who: Alias Jeremy
- What: Hacker, found hacking tools, gained password access to client’s account with minimal password errors
- When: Approximately 8:30 Oct 10,2016
- Where: Source IP not found at this time
- Tools found the hacker gained administrator authority of this computer.
- The hacker then attempted to run scripting files that would allow the machine to work as a terminal server and allow the user to remotely log into the machine at the same time as the main user undetected.
- Another tool was on the machine to decrypt encrypted passwords and log keystrokes.
- This activity supports the idea that this hacker was looking to steal information to sell on the black market.
This type of attack is directly related to directed RDP vulnerabilities once the attacker knows the password. It’s possible this hacker had received information via a key logger on a machine that was used to access the RDP session. Although this is very likely, it has not been confirmed.
- CRCK_PATCH – Identified as the tool for password cracking
- HKTL_RDPPATCH – identified as the tool that enables multiple user access via RDP
- Trojan.Win32.FSYSNA – AKA Chewbacca – Keylogger / memoryscanner. Uses Tor to access C&C servers and build a database of information.
- This computer was quarantined until I was able to clean out all of the found hacking tools and Trojans.
- This computer’s security settings were also checked.
- All infections I was able to find have been removed and the computer was then again allowed on to the network
- Now that organization has a more sophisticated IT infrastructure, we are starting to see the importance of security when allowing directed RDP access to machines.
- It’s important that supplied hardware is configured by the primary tech to ensure that it is configured with minimum rights. This will protect the computer and user when they are remotely accessing the network.
- A SSL VPN tunnel is recommended to allow secure/encrypted access to the main network from the remote-controlling computer. Once connected, the user can then RDP into their directed RDP machine.
- Antivirus such as Trend Micro will be installed to the provided machine with heavily secured settings
- Firewall Policies will be established to secure and monitor the connections. This will eliminate any breaches to the network and will only allow specific devices to connect.
- In the future, we can also configure and install the Watchguard Dimension VM Server. This software can be used to monitor all of organization’s security conditions and build reports for either daily, monthly or yearly events. These reports can show the condition of network security when it comes to Malware or network attacks.