Eliminate or Secure Your Use of Remote Desktop Protocol; Denial of Services Caused by Let’s Encrypt Root Cert Expiration; Protect Life Critical Systems Against Ransomware and Other Attacks

This shouldn't be news to anybody watching their logs over the last couple years. A number of large credential leaks focused on RDP. We looked at some of the increases in RDP scanning in April of last years when it was noted as a significant entry point for ransomware. (https://isc.sans.edu/forums/diary/Increase+in+RDP+Scanning/25994). Since then, we have seen a steady rise in the number of sources scanning for RDP with occasional surges in reports. (https://isc.sans.edu/port.html?port=3389). Note that this increase isn't so much caused by remote working. These systems have been exposed before, but leaked credentials gave attackers new tools to attack these exposed systems.

Johannes Ullrich

Two points on this one: (1) monthly or even quarterly changes in the technical targets of attacks aren’t very meaningful overall, since usually the next month or quarter will be very different. This one shows the growth mostly in attacks against targets in Spain, so often still regional info to be gained; and (2) there was a lot of emergency use of RDP to support work from home. By now that use should be replaced with more secure remote access approaches – see the NSA/CISA VPN guidance listed in another item in this issue of Newsbites.

John Pescatore

Whether exploited or not, your pentesters should tell you that services like RDP, VNC, SMB, etc. exposed to the internet are bad. Please, please, please put them behind a good VPN with MFA. See also: today's article on VPN security. (-:

Christopher Elgee

With the increased telework, many added services were made Internet accessible, quickly. Those often include RDP, which makes access easy for users and malicious actors. Remote access must require multi-factor authentication to thwart the value of captured credentials. Put your RDP services behind a secure remote access gateway rather than exposing them directly to the Internet.

Lee Neely

Unsecure RDP connections are one of the top attack vectors that ransomware gangs use to infiltrate companies. Microsoft have published a guide on how to secure RDP (https://www.microsoft.com/security/blog/2020/04/16/security-guidance-remote-desktop-adoption). But you should also identify all remote management tools and platforms that are in place within your organization, ensure they are secured appropriately, and regularly conduct reviews to make sure they remain secure.

Brian Honan

Certificate management has long been overlooked – expired certificates are a continual source of self-inflicted denial-of-service attacks. This used to be just an internet-facing web server problem, but the increased use of SSL everywhere (both internally and with more than browser to server connections) it becomes more critical. Discovering what certificates are in use and when they will expire is the first step – should be considered a required function within asset inventory and vulnerability management processes.

John Pescatore

While you’ve been focused on getting all your sites to be TLS only, and implementing processes and automation to keep those current, don’t overlook the processes needed to keep your root certificate stores current. While you’re working to judiciously apply patches such as browser and OS updates which include updated certificates, don’t overlook application server/service updates which may also include local root certificate stores.

Lee Neely

This Let’s Encrypt issue is a good lesson in how vendors and manufacturers think about technology. Deploying certificates is a great and helpful idea. The part of the challenge that I believe many companies or technologists miss is day 2. How do you handle updates for maintenance items on devices that are not general-purpose computers? TVs, printers, light bulbs, Internet connected toasters? How do you revoke or update a certificate on a printer? An intermediary certificate with ten years of life on a device with a ten-year life span is ideal. Using that same certificate on a device created six months ago? Probably not ideal unless you can update it.

Moses Frost

Critical systems need adequate protection. Isolate systems which, if compromised, can result in loss of life, and limit access to only authorized systems and users. Verify those separations are in place on a regular cadence, removing any access which is no longer needed.

Lee Neely

Over the years there have been worms, distributed denial-of-service and ransomware attacks that tragically been associated with loss of life. Lawsuits have followed but have rarely if ever been successful. That doesn’t change the fact that functions that are life critical should be protected at a much higher level, with regularly tested backup approaches and prioritized monitoring.

John Pescatore

I worked at significant hospitals for the first 8 to 10 years of my IT career. Security was secondary to patient safety. The most considerable security budget items dealt with patient health information and keeping worms from bringing down the systems. Anyone who has worked in that field knows that it's challenging to convince management to prioritize information security. A significant challenge is to upgrade a million-dollar medical device because it runs Windows 7 and still has several more years of life left before it is obsolete. Maybe this new style of attack that impacts patient safety can bring more meaningful change, both at the manufacturer level and at healthcare facilities.

Moses Frost

Sound advice and it may help justify spending some time reviewing VPN configurations. While some of the recommendations (for example limiting the IP addresses users connect from) may not be practical for a remote access solution, keeping your software up to date and implementing two factor authentication is a must at this point for any remote access solution.

Johannes Ullrich

This guide encapsulates the basics for you to verify your VPN is well chosen and securely configured. Configure secure encrypted protocols, keep them patched and select products which you can verify are genuine. Make sure that multi-factor authentication doesn’t exclude any accounts. If you have the infrastructure to support certificate-based authentication, consider that as an option. Make sure certificates cannot be easily extracted and moved to unauthorized systems. Also make sure that your VPN grants access only to the services each user needs.

Lee Neely

It feels like we are rehashing this conversation again with SSL VPNs. Initially, we said that HTTPS-based VPNs were less than ideal, specifically those used to port forward through Java Applets. Now the guidance has shifted even more interestingly. Use standards-based protocols like IPSEC and be able to inspect the code itself. The interesting problem here is that all enterprise VPNs, with few exceptions, are closed sourced. The open source options lack many of the logging/auditing/firewalling features most organizations need. It sounds like an opportunity for someone to fill the gap. This problem is even more challenging when you get to the newer Service Defined Perimeter options which form Zero Trust. Almost all of these are opaque and sometimes with custom VPN Protocols—still excellent guidance from CISA and the NSA.

Moses Frost

Terminate VPNs on the application, not the operating system or the perimeter.

William Hugh Murray

When was the last time you assessed your insider threat posture? Use the CISA tool to take a fresh look at your posture. Use the assessment report to plan for any improvements, and note your successes.

Lee Neely

Keep in mind that while insider threat is low, consequences and risk are high. Focus on controls (e.g., vetting at hiring, supervision, training, separation of duties, job rotation, mandatory vacations, accountability, recognition, compensation).

William Hugh Murray

This exploit is leveraging DLL search order hijacking and applies to both your on-premises and cloud based AD FS services. Read the Microsoft bulletin for techniques and IOCs used Microsoft provided security products, such as Defender, already detect Nobelium/FoggyWeb. Review your security settings, make sure credentials are issued using best practices, use HSM modules to prevent exfiltration of secrets by FoggyWeb. Use the Microsoft’s best practices guide for securing AD FS. https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/best-practices-securing-ad-fs

Lee Neely

Once again, ADFS is back in the news. We talked about blood in the water, and this will not end for some time. Anyone who spends any time searching the internet will see that ADFS is used in some of the world's largest and most important institutions. We should treat this just like we treat VPNs. It's the edge of your network; in this case, it's the edge of your identity perimeter. It's also connected directly to Active Directory, and many times it's part of the Azure Active Directory Flow.

Moses Frost

SANS has a Girls Go Cyberstart initiative (https://girlsgocyberstart.org/) that has partnered with Girls Who Code in the past. Bringing women and minorities into cybersecurity both increases the size of the workforce and the effectiveness and diversity of security teams.

John Pescatore

This is an excellent opportunity as CISA is becoming not only more central in US government cyber security, but also interfacing with private sector, particularly critical infrastructure and is seeking needed cyber talent to meet its mission. The networking opportunities are outstanding.

Lee Neely

Given the recent high level political talks about ransomware, such as talks at the G7 summit, this is a worrying development. Group-IB have been very effective in sharing data with law enforcement in dealing with cyber-crime. Such actions against senior figures in cyber security companies may discourage others from sharing similar information and negatively impacting our ability at a global level to deal with the threat of cybercrime and in particular ransomware.

Brian Honan

When sharing data, particularly internationally, be very clear on export control and legal jurisdiction surrounding that information. Verify the agency which regulates your industry and the information category.

Lee Neely

This shows the need for clear communications when responding to an incident. While some services are offline, such as the phone system, other changes, such as delaying certain procedures due to pandemic induced capacity constraints, are also being erroneously attributed to the attack. Communicate fully and clearly and provide regular updates during an incident.

Lee Neely