Port 3389 attack at work...anyone have experience?

[gonefishing]

First off I'm not an IT professional and don't handle those duties for the company I work for. I do however enjoy learning more about IT security.

I work for a small business and sometimes need to work from home/out of town. We use the Windows remote desktop feature to login into our local server. From their I have access to our ERP system.

Last weekend we were hacked with some sort of ransomware. Everything was down Monday but we are back up and running now. Everything has been fixed but now our remote capabilities are turned off for the time being (closed port 3389). Apparently they are working on something so us outside employees can use the server again.

Our IT manager sent out what I thought was an interesting email. It's from a company we apparently contract with for IT assitance.

Worked to identify cause of problems on TS. Determined they had been hit with ransomeware. The port 3389 attack they had been experiencing eventually succeeded in breaching their network and when it did they took control of the local admin account and created many additional local user accounts with random names. This weekend they then infected the system with a cyprto virus. It appends each file name with 'lock'. I used the Everything tool to identify the files. It was the entire server. Opened ticket with ****** and he assisted with getting the restore of the system state, C drive, and E drive. Working on deleting the files that were locked now.

The sentence "port 3389 attack they had been experiencing eventually succeeded" jumped out at me. Is there a record somewhere that shows a history of someone looking for ports to try to get in? Is the 3389 port a know weakness for security purposes? Is this something that the company probably should have been more prepared for? I know for fact my password for remote login was VERY weak (I didn't set it).

Thanks

 

[redhat]

Did your organization require you to connect with a VPN? Or some other type of remote login (GoToMyPC, LogMeIn, etc.)?

Or was 3389 opened to one machine?

 

[robertcope]

TCP port 3389 is typically Windows Remote Desktop. It really shouldn't be exposed to the public internet. Basically, someone was probably brute force attacking, ie trying various username-password combinations in an attempt to get into the system. You would be surprised how common certain combinations are. Given unlimited opportunity, the brute force effort will probably pay off.

robert

 

[AlaskaMike]

Weak passwords are definitely a big issue, and good passwords policies that are enforced really help hugely. Good for your IT folks for having effective backups! The only reason crypto/ransomware is effective is because groups fail to take good backups and then they're in serious trouble when something like this hits. It's amazing to me how many organizations fail completely when it comes to backups.

A good way to go for remote access is dual factor authentication, in addition to a good VPN. Dual factor authentication is usually where you have to enter a password, but also something else--a USB key typically. Remote attackers may guess the username and password, but it's tougher for them to get around that secondary authentication.

Of course, a lot depends on the size of your organization--smaller shops just don't have the budget for some things. Also, many times Management just doesn't understand the business risks of poor security until an attack like this succeeds. I bet your management will be more receptive to any new security initiatives your IT group comes up with for 2017.

 

[cpayne5]

As robertcope said, probably a dictionary attack that succeeded.

Having 3389 open, by itself, isn't necessarily a security risk, but if your passwords are weak then this situation can occur. Some people have nothing better to do than ruin other people's days.

For a system that's fairly sensitive, I'd at minimum change the port. Listen on something other than 3389. If it's super critical (but you still want remote access), I'd set up some sort of IPS on the connection, monitor logs, and make backups all the time. A well configured VPN would be a good option, too.

 

[OVERKILL]

Originally Posted By: robertcope
TCP port 3389 is typically Windows Remote Desktop. It really shouldn't be exposed to the public internet. Basically, someone was probably brute force attacking, ie trying various username-password combinations in an attempt to get into the system. You would be surprised how common certain combinations are. Given unlimited opportunity, the brute force effort will probably pay off.

robert


This.

The approach of exposing remote desktop is a very poor security practice. You should be leveraging a VPN for that purpose.

 

[mazdamonky]

Port 3389 is generally used for RDP. Most companies should have a firewall that monitors traffic in and out and blocks unauthorized traffic. Proper firewall configuration should have stopped this. The attacker was probably spoofing random RDP connection information until they got one right with a brute force style attack. The way my organization gets around this is we first require a VPN connection before anything else. This can still be spoofed, but it is much harder to do and often times has permissions set only to allow certain computer names or MAC addresses.

 

[mazdamonky]

Sorry typed that up and forgot to hit send.

 

[pandus13]

Originally Posted By: OVERKILL
This.

The approach of exposing remote desktop is a very poor security practice. You should be leveraging a VPN for that purpose.


There are tools available who scans for the "weak" servers.... this is info from 10 years go....

specifically for US servers.....

 

[pandus13]

Originally Posted By: gonefishing
Opened ticket with ****** and he assisted with getting the restore of the system state, C drive, and E drive. Working on deleting the files that were locked now.


Wow!

They didn't restore the system to full previous state?
AKA: bare-metal + last known good backup?

 

[OVERKILL]

Originally Posted By: pandus13
Originally Posted By: OVERKILL
This.

The approach of exposing remote desktop is a very poor security practice. You should be leveraging a VPN for that purpose.


There are tools available who scans for the "weak" servers.... this is info from 10 years go....

specifically for US servers.....


Yes, there are entire suites of vulnerability software that scan for backdoors and openings for services like RDP. Ergo, exposing any service to the internet is generally a bad practice and for offsite access a VPN is the usual method of gaining access to an RDP server, if RDP is employed.

 

[OneEyeJack]

Cyber attackers get a lot of help based on just mistakes that are made by the IT staff configuring and maintaining a system.

Then there's the someone is stupid method. Someone called the receptionist telling her he was from Microsoft and needed her password and username to make a critical update. It did not work because the system will only accept her username and password from her workstation and requires a finger print check.

Cyber security is becoming an excellent career choice for a young savvy IT person.

 

[mazdamonky]

Originally Posted By: pandus13
Originally Posted By: gonefishing
Opened ticket with ****** and he assisted with getting the restore of the system state, C drive, and E drive. Working on deleting the files that were locked now.


Wow!

They didn't restore the system to full previous state?
AKA: bare-metal + last known good backup?


Most of these Cryptoviruses only encrypt files with common document extensions such as .doc, .docx, .rtf, .txt, and so on. After you have cleaned the virus off, and are sure you have, there isn't much reason to do a fresh reinstall or full restore.

 

[gonefishing]

Thank you everyone for the information. We have some smart cookies on this board!

In one of the subsequent emails after the attack, a VPN was mentioned. I'll probably know more next week on the company's plan for remote server work.

 

[Subdued]

Here in 2017 any company that's not using VPN for remote users should consider purging out any individuals who had a part in that decision process.

There's no excuse.

 

[JustinH]

Originally Posted By: Subdued
Here in 2017 any company that's not using VPN for remote users should consider purging out any individuals who had a part in that decision process.

There's no excuse.


Agreed, this is the dumbest thing I have ever seen.

We had a user get cryptodefense infection last year. Took about 8-10 hours of labor to put the system back in a usable state, we rolled back a good copy of the server from the day before.

With virtualization this is not that bad of a task. Sounds like your company has physical servers and they are wiping them bare metal? That sounds painful, and not acceptable for the year 2017.

 

[pandus13]

Originally Posted By: Subdued
Here in 2017 any company that's not using VPN for remote users should consider purging out any individuals who had a part in that decision process.

There's no excuse.

Not to defend anybody, just relaying couple real world experiences:

-OP, i have a feeling the servers are Windows 2003 and the ERP system at least 10 years old....
-Older Personnel and Management not really up to specs, even if they had access to computers/IT tech for the last 30-40 years...If it works, none of their business....If it doesn't, they need a scapegoat, not a solution. hence they use IT contractors (the cheapest bid=knowledge? yeah right)
-Manufacturing industry with IT/ERP systems from 10-15 years ago with sometimes technology behind from the 90's....
-i know of one manufacturer using dBase system on Windows XP computers (because of the DOS based dBase system) (1990 is calling....)

 

[pandus13]

Originally Posted By: JustinH
That sounds painful, and not acceptable for the year 2017.

How can you make Management like in my previous post, ponny up the money for virtualization and training?

I think Subdued and OP is happy they have the backup system at least in place....

 

[LeakySeals]

Probably "Angry IP"..