Security Week 19: bruteforce attacks on RDP

The transition of office workers to a remote site has seriously increased the burden on both public web conferencing and file sharing services and the corporate infrastructure. These are two fundamentally different troubles. Malfunctions Zoom is a problem of one service against the background of several alternative applications. There are no replacements for the company's own services, the fall of the native mail or VPN server threatens with serious consequences. Not everyone is ready for a situation where most employees are outside the more or less built-up corporate perimeter.

Often, security suffers because of this: access to servers previously open only when working from the office is opened, protection levels for VPN, mail and file storage are removed. Such a difficult situation could not take advantage of cybercriminals. The graph above shows exactly how this happens. It demonstrates the growth in the number of attacks with brute force attacks on RDP servers (according to Kaspersky Lab). This is Russia, the study also shows graphs for other countries, but the picture is the same: an increase in the number of brute force attacks at times.

Attackers use both common default passwords and frequently used code base databases. For a well-tuned corporate infrastructure, this is not a problem, but times are difficult, the load on IT specialists is high, and there are more opportunities to make a mistake. The recommendations are standard: use complex passwords, ideally do not make the RDP server accessible from the outside, use Network Level Authorization. Last year, it was the NLA that made it difficult to exploit serious protocol vulnerabilities. It is advisable not to include RDP at all when such access is not really required.

What else happened

Another vulnerability in WordPress plugins. In the Real-Time Find and Replace extension, they discovered a CSRF vulnerability that allowed a malicious script to be injected into a website. Three plugins with which you can create educational services based on WordPress (LearnDash, LearnPress, LifterLMS) have a number of vulnerabilities leading to information disclosure, changing user ratings and privilege escalation up to complete control over the site.

Databases of hacked Zoom user accounts are freely sold in the cyber underground. One of the first cases of the appearance of a rather modest collection of logins and passwords was registered in early April. Last week, access was already 500 thousand accounts. Databases are either sold very cheaply or are generally distributed free of charge. Due to the ephemeral nature of newsgroups, the main threat of such leaks is the development of an attack on other network services of the company. But there are other options: Last week, the Financial Times fired a reporter who wrote about financial issues in a rival media. He became aware of these problems after he connected to a poorly protected web conference.

The creators of the Shade ransomware Trojan uploaded 750 thousand keys on GitHub to decrypt the data with the signature: “We apologize to all victims of the trojan.” An expert at Kaspersky Lab confirmed (see the tweet above) that the keys are working.

A major vulnerability in Cisco IOS XE software affects SD-WAN routers.

A massive phishing attack targets users of the Microsoft Teams collaboration service.

F-Secure described in detail the vulnerability in Salt software , an open source project for managing server infrastructure.