Cybercrime , Fraud Management & Cybercrime , Governance & Risk Management

Ransomware Gangs' Not-So-Secret Attack Vector: RDP Exploits

But RDP Attack Overuse Leads Other Hackers Back to Botnets, Researchers Find
Ransomware Gangs' Not-So-Secret Attack Vector: RDP Exploits
RDP brute-force pen-testing software used by the Truniger hacking group to deploy ransomware (Source: Advanced Intelligence)

Many ransomware-wielding attackers continue to hack into organizations via remote desktop protocol.

See Also: Gartner Guide for Digital Forensics and Incident Response

Of course, RDP is a legitimate tool that enables IT departments to remotely and easily manage Windows systems. But poorly secured RDP can give attackers easy entry into enterprise networks.

"Gaining access to servers via exposed RDP endpoints continues to be an attractive target for malicious actors," David Stubley, head of incident response firm 7 Elements in Scotland, tells Information Security Media Group.

On cybercrime marketplaces, buying RDP credentials remains easy and inexpensive. Criminals will steal RDP credentials or amass them via brute-force-cracking, then sell them via some darknet marketplaces for just $20 each (see: Cybercrime Black Markets: RDP Access Remains Cheap and Easy).

Criminal use of stolen RDP credentials is rife. Security experts say many affiliates of the now-defunct GandCrab ransomware-as-a-service offering, for example, relied on RDP to place the ransomware onto targets' systems, sharing a cut of every ransom paid with the GandCrab gang. The operators of GandCrab announced their retirement in May - boasting that their affiliates had earned more than $2 billion - and since then, some affiliates have switched to the Sodinokibi Raas operation, also known as Sodin or REvil. That includes some big-name "Crab" affiliates such as the Truniger hacking collective and the threat actor “Lalartu" - the name of a ghostly, vampiric spirit in Sumerian legend.

Honeypots Track Sodinokibi Actors

Since May, security firm McAfee says that its global network of honeypots has captured evidence of attacks being waged by three Sodinokibi affiliates. McAfee researchers Jessica Saavedra-Morales, Ryan Sherstobitoff and Christiaan Beek note in a recent blog post that the affiliates have been using the following tactics in an attempt to compromise victims:

  • RDP: Brute-forcing RDP credentials via password-cracking tools, or buying already stolen passwords for a specific target, to access a victim's network;
  • Phishing: Distributing crypto-locking malware via spear-phishing emails that carry weaponized attachments, which are often malicious Office documents;
  • Scripts: Using batch (BAT) files to download payloads being stored on text-sharing site Pastebin, then injecting these into an operating system process;
  • IT service providers: Hacking into IT and managed service providers to use the MSP's own software, deployed onto clients' endpoints, to push ransomware onto numerous endpoints at once.

Security firm Armor recently reported that at least 13 MSPs and cloud providers have been compromised by ransomware this year. Some of those attacks involved Sodinokibi (see: Texas Ransomware Responders Urge Remote Access Lockdown).

Repeat Entry Vector: RDP

Cybercrime is a business, and attackers tend to use the tools and tactics that will most quickly lead to a payday (see: Sodinokibi Ransomware Gang Appears to Be Making a Killing).

Sodinokibi affiliates keep 60 percent of every ransom payment, rising to 70 percent after they see three successful ransom payments, McAfee's John Fokker and Christiaan Beek note in a recent research report. The remaining amount gets remitted to the actor or actors behind Sodinokibi (see: Ransomware: Average Ransom Payout Increases to $41,000).

All three of the Sodinokibi affiliates studied by McAfee attempted to hack targets, at least in part, via RDP.

"Gaining access to servers via exposed RDP endpoints continues to be an attractive target for malicious actors"
—David Stubley, 7 Elements

The security researchers saw one group - with an unknown affiliate ID - using internet port scanner Masscan together with NLBrute, a tool designed to brute-force RDP servers' access credentials. "The actor then created a user account ‘backup’ and proceeded to consistently connect from an IP address range in Belgrade, Serbia," McAfee says.

A different threat actor - with the Sodinokibi affiliate ID of 34 - "deployed a variant of the Mimikatz credential harvester during the intrusion," among other commonly seen tools.

"Another tool, known as Everything.exe, was also executed during the same period," the McAfee researchers say. "This tool was used to index the entire file system and what was on the target system. This tool is not considered malicious and was developed by a legitimate company but can be used for profiling purposes. The usage of reconnaissance tools to profile the machine is interesting as it indicates potential manual lateral movement attempts by the actor on the target system."

Profile found by McAfee of a member of a "Persian-speaking credential cracking crew harvesting RDP credentials and other types of data" who appears to be part of a Sodinokibi affiliate

Many times, attackers who drop Sodinokibi onto a targeted system also install other malware, such as cryptocurrency miners, McAfee says, noting that in one case, it tied mining software to a specific Gmail account, which appeared to belong to a Farsi-speaking gang that was active on a Telegram channel devoted to RDP hacking.

"Using open-source intelligence (OSINT) investigation techniques, we identified an individual that is most likely tied to the discovered Gmail address," McAfee says. "Based on our analysis, this individual is likely part of some Persian-speaking credential cracking crew harvesting RDP credentials and other types of data. The individual is sharing information related to Masscan and Kport scan results for specific countries that can be used for brute-force operations."

McAfee says it saw another Farsi-speaking Sodinokibi group with the affiliate ID 19 targeting systems in Israel, Oman and the United Arab Emirates.

Overall, McAfee says that some of the attacks it witnessed traced to IP spaces in Iran, Poland, Serbia and South Africa, although it's not clear if that's where the attackers were located. Likewise, it notes that just like GandCrab, Sodinokibi's code blacklists systems with the language set to the Romanian and Persian languages, which suggests the RaaS operation may have multiple affiliates who speak those languages.

Hackers Upskill

While RDP has been one of the dominant techniques employed by hackers to gain remote access to networks and deploy ransomware, at least some attackers have moved on.

Take the hacking collective that calls itself Truniger. New York-based cyber intelligence firm Advanced Intelligence, also known as AdvIntel, says Truniger began using RDP to gain access to systems and had crypto-locked more than 1,800 devices by August 2018, working with the Rapid Ransomware gang.

At some point, Truniger came to the attention of GandCrab, joined forces and continued to improve its hacking prowess, learning to use Mimikatz to obtain Active Directory passwords, while also stealing financial information and gaining escalated access privileges, AdvIntel says (see: Ransomware School: The Rise of GandCrab Disciples).

RDP brute-force pen-testing software called RDP Brute, coded by “z668" and used by the Truniger hacking group to gain access to a victim's environment and deploy crypto-locking malware (Source: AdvIntel)

One of the threat intelligence firm's investigators, posing as a member of the cybercrime underground, was told by a member of Truniger earlier this year about how it operates:

"We have a loader, first we deliver the loader [via targeted email phishing] and then upload the bot, and then, by using the bot we upload all the meta and move further within the network. ... We are currently focusing on dedicated servers [and compromised RDPs] .... [we are] interested in macro and dynamic data exchange (DDE) for our purposes." In Windows, DDE is used to transfer information between applications.

RDP Exploits: Overexposed

The group says its tactics reflect a move beyond RDP hacking, which Truniger says has become overused.

"According to Truniger, they relied on RDPs for most of their time, however, by the summer of 2019, so many RDPs got compromised and brute-forced that this method became insufficient for their operations," Yelisey Boguslavskiy, director of research at AdvIntel, tells ISMG. "In other words, they say that RDPs are over-exploited and, paradoxically, this makes them an inefficient tool."

So less-skilled attackers are using RDP to such an extent that hackers seeking a bigger payday are being driven to upskill and look to more advanced and diverse types of tactics for gaining remote access to victims' networks.

"They say RDPs are over-exploited and, paradoxically, this makes them an inefficient tool."
—Yelisey Boguslavskiy, AdvIntel

Remote-access attackers don’t always just wield ransomware, and may have multiple schemes in mind. Indeed, Stubley of 7 Elements says that in many cases his firm has investigated, attackers will have already conducted extensive reconnaissance of the network and exfiltrated as much information as possible, searching for valuable financial data or intellectual property. Then the same group - or maybe a less-skilled one that attackers have sold the access on to - deploys crypto-locking malware to forcibly encrypt everything it can and demands a ransom for the promise of decryption software.

Of course, if organizations cannot stop lower-skilled hackers from gaining access to their networks via poorly secured RDP, they remain even less well-prepared to repel more advanced attackers.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.