A remote desktop service refers to the feature that allows remote control of other PCs. In Windows, this service is provided by default through Remote Desktop Protocol (RDP). This means that if the target system is a Windows environment, RDP can be used to control this remote target without having to install additional remote control tools.
For remote control, the operator is required to have account credentials for the target system and log in using these credentials. As such, if an RDP-enabled system is exposed to the public, threat actors can launch brute force (or dictionary attacks) to obtain the account credentials. If the user has set improper account credentials, the threat actor can obtain the system’s account credentials through brute force attacks.
Attacks targeting the RDP service have been persistent even until recently. While there are threat actors who use the account credentials obtained through these attacks to launch attacks directly, there are also cases where many of the obtained account credentials are sold on the dark web. Various threat actors can purchase these credentials of vulnerable RDP systems on sale. Those who purchase the credentials can use them to log into the target system and exfiltrate data or install ransomware for financial gain.
Figure 1. Ransomware attacks exploiting RDPNot only is RDP an important means for initial compromise, but it can also be used for lateral movement. After taking control of the system in a certain network, a variety of stored information can be collected. The account credentials found through this process can be used to gain control over other systems within the internal network.
For these reasons, RDP is being used in various attacks. This post provides a summary of the attacks carried out by ransomware operators.
1. Cases of Ransomware Attacks
Ransomware operators use account credentials they obtained themselves or those purchased from the dark web to log into the infected system. After logging in, tools such as Mimikatz are used to obtain the account credentials of the infected system and the internal network administrator. Account credentials saved in applications can also be obtained via NirSoft’s WebBrowserPassView or MailPassView.
Additionally, if there are other systems within the same internal network, port scanners are often used in the process of taking control over these systems through lateral movement attacks. Aside from these, threat actors also tend to disable antivirus software installed in the infected systems using tools such as Defender Control and Process Hacker.
Once these processes are complete, the ransomware is installed. If lateral movement within the internal network is successful, other systems in the network can also become targets of encryption in addition to the target system. Ransomware installed through such attacks include GlobeImposter, MedusaLocker [1], Hakuna Matata [2], Venus, Crysis [3], and Lockis [4].
There are many limitations to blocking these attacks in a system that has only an antivirus product installed. For example, the threat actor can delete the product or use tools such as Defender Control and Process Hacker to disable it in the initial stage. Even if such an attempt fails, there is a limit to detecting and blocking the tools used by threat actors via antivirus software only, because these tools are those that can be used by ordinary users for normal purposes.
AhnLab EDR (Endpoint Detection and Response) is the only next-generation threat detection and response solution based on behavior-based engine that exists in South Korea. It provides powerful threat monitoring, analysis, and response capabilities for endpoint areas. AhnLab EDR continuously collects information related to suspicious behaviors based on each type and is designed in a way that allows you to precisely perceive threats from a detection, analysis, and response perspective. Through comprehensive analysis based on these, you can identify causes, respond with appropriate measures, and establish processes to prevent recurrence.
Figure 2. AhnLab EDRAhnLab EDR detects and analyzes the attack processes including initial compromise with RDP brute forcing, collecting information, and attacking via various tools, providing support for administrators within an organization to respond to threats. Below are details of each attack stage analyzed with AhnLab EDR.
2. RDP Brute Forcing and Dictionary Attack Stage
The Windows OS can monitor failed login events through policies. As such, when RDP brute force attacks occur, multiple failed login events (Windows security event ID: 4625) can be observed in the system. The following case is a log where a system infected with the Hakuna Matata ransomware continued suffering from persistent brute forcing after the ransomware attack occurred.
Figure 3. Event log on a brute forcing attackAhnLab EDR detects multiple login failure events as a threat and helps administrators notice this.
Figure 4. Brute force attack detected by EDRAdministrators can check whether the log was generated through a legitimate authentication process by viewing the authentication log. For example, examining many of the login failure logs shows that they involve common user accounts instead of a single user account. Threat actors typically launch dictionary attacks using frequently used user accounts and passwords.
Figure 5. EDR showing logs of attempts from multiple accounts
3. Attack Stage Where Various Tools Are Used
After obtaining the account credentials, the threat actor logs into the target system via RDP. After logging in, different tools are installed for various purposes such as port scanning, information collection, and deactivating security products. Below is a summary of the logs that install these tools as well as such cases detected by AhnLab EDR.
Figure 6. Logs of tools being installed for attacks
3.1. Exfiltrating Account Information
NirSoft’s tools are often used in the process of collecting account credentials saved in an infected system. WebBrowserPassView is a tool that extracts and displays account credentials saved in web browsers such as Chrome, Firefox, and IE. Mail PassView extracts and provides account credentials saved in email clients such as Outlook and Thunderbird. Besides these, VNCPassView and WirelessKeyView can also extract and provide various other account credentials saved in the infected system.
Figure 7. EDR showing execution logs of tools used in an attack
Figure 8. EDR showing detection logs of tools used in an attack
3.2. ProcDump, Mimikatz
Mimikatz is a tool that extracts account credentials saved in a Windows system. Account credentials can be saved in various formats, and accordingly, Mimikatz supports a variety of extraction methods. The most common method is extracting and decrypting account credentials saved in the memory of the LSASS process.
However, this method is likely to be detected and blocked by security products. To bypass this situation, threat actors are devising various workarounds. A major example is using Sysinternals’s ProcDump instead of Mimikatz to dump the LSASS process memory, after which account credentials are extracted and decrypted from the memory dump created through this process.
Because ProcDump can be used for normal purposes, there are limits to detecting these behaviors with antivirus products. AhnLab EDR can detect threat actors using ProcDump to dump the LSASS process memory.
Figure 9. EDR showing the execution logs of the ProcDump toolAfterward, the threat actor can use Mimikatz to analyze the LSASS process memory dump and exfiltrate the account credentials saved in the system. While Mimikatz is closer to a malware than a tool, threat actors pack or obfuscate Mimikatz to evade detection, making it unable to be detected by file-based detection features of antivirus products. Even in such a case, AhnLab EDR can detect Mimikatz from its unique characteristics.
Figure 10. EDR showing the logs of Mimikatz being used for analyzing a memory dump
3.3. Disabling Security Products
Security products such as antivirus programs cannot detect all attacks that exploit such tools. Also, even if these attacks are successful, the ultimate goal of the threat actor is installing ransomware, which by nature is easily detected and blocked by antivirus products. For these reasons, threat actors often remove or disable such security products during the attack process.
The ransomware operators covered so far tend to use a tool called Defender Control. Defender Control is a tool for disabling Windows Defender. Windows Defender is installed by default in the latest versions of Windows OS, and even if another antivirus product is installed, Windows Defender becomes enabled again when the antivirus product is uninstalled.
For these reasons, various threat actors attempt to disable Windows Defender by often using Defender Control. AhnLab EDR detects the behavior of disabling Windows Defender Antivirus using Defender Control and informs administrators of this behavior.
Figure 11. EDR showing the logs of Windows Defender being disabled
4. Conclusion
Many ransomware operators use RDP as an attack vector. Major examples of such ransomware operators include GlobeImposter, MedusaLocker, Hakuna Matata, Venus, Crysis, and Lockis, who have already been consistently using the same type of attack method for years. These attacks usually begin with brute force and dictionary attacks against systems with improper account credentials.
Users can disable RDP when not in use to reduce the number of attack attempts. It is recommended to use a complex account password in systems using RDP and to change it periodically to prevent brute force and dictionary attacks. Security must also be enhanced using VPN and multi-factor authentication.
There are limits to detecting and blocking these attacks with antivirus products only. AhnLab EDR detects each step of the attack before the threat actor installs ransomware, from brute force attacks against RDP to the account credentials theft stage using various tools. This allows administrators to identify the cause and establish adequate responses and measures to prevent recurrence.
Behavior Detection
– InitialAccess/EDR.Event.M11071
– Execution/EDR.Event.M10819
– CredentialAccess/EDR.WirelessKeyView.M11215
– Execution/EDR.Event.M10817
– Execution/EDR.Event.M10815
– Execution/EDR.Behavior.M10741
– Execution/EDR.Behavior.M10484
– CredentialAccess/EDR.Mimikatz.M11469
– SystemManipulation/DETECT.T1562.M4022
AhnLab EDR protects the endpoint environment by delivering behavioral detection, advanced analysis, holistic visibility, and proactive threat hunting. For more information about the product, please visit our official website.
The post Ransomware Attacks Using RDP as the Attack Vector – Detected by EDR appeared first on ASEC BLOG.
Article Link: https://asec.ahnlab.com/en/59439/