Remote Desktop Gateway (RDG), previously known as Terminal Services Gateway, is a Windows Server component that provides routing for Remote Desktop (RDP). Rather then users connecting directly to an RDP Server, users instead connect and authenticate to the gateway. Upon successful authentication, the gateway will forward RDP traffic to an address specified by the user, essentially acting as a proxy. The idea is that only the gateway needs to be exposed to the Internet, leaving all RDP Servers safely behind the firewall.
Overview It has been almost six months since an eye opening vulnerability in Microsoft Windows RDP CVE 2019-0708, dubbed BlueKeep, was patched. Today, Security Researcher Kevin Beaumont posted a Twitter thread reporting BSODs (Blue Screen of Death) across his network of BlueKeep Honeypots. huh, the EternalPot RDP honeypots have all started BSOD'ing recently. They only expose port 3389. pic.twitter.com/VdiKoqAwkr — Kevin Beaumont (@GossiTheDog) November 2, 2019 Kevin kindly shared the crash dump with us and following this lead, we discovered the sample was being used in a mass exploitation attempt.
Overview Emotet’s automated targeting phishing campaigns have arrived and they are aggressive. As originally discovered and predicted in our previous post about Emotet’s mass email harvesting, computers infected with Emotet and the email harvesting module could be used to create believable emails which even savvy email users may be tricked into clicking. Since then, Kryptos’ Threat Intelligence Team has observed Emotet’s behavior evolve, with the aid of their stolen email troves.
Our Threat Intelligence team has been tracking the Emotet botnet throughout 2018. In our previous post we reported a large scale Emotet campaign focused on e-mail content exfiltration. Today, we review the evidence gathered from our Telltale Threat Intelligence Service, which suggests the involvement of Emotet as the delivery mechanism for the latest wave of Ryuk ransomware attacks being dubbed as North Korean state-sponsored cyber-attacks. The evidence from the dataset completes the missing narrative needed to show a likely and complete attack chain of compromise via organized crimeware activity.
The Emotet malware family just raised the stakes by adding email exfiltration to its arsenal, thereby escalating its capabilities to cyber espionage. While it has recently made headlines for delivering ransomware payloads to United States infrastructure such as Water Utilities, Emotet has laid mostly dormant for the past month. In the past days, however, the mummy has returned just in time for Halloween as we observed a new module capable of exfiltrating email content back to the botnet’s operators.
The Emotet botnet reputation precedes it; historically aggressive and malicious, today it has evolved and incorporated a number of advancements to create a more resilient botnet delivery system, nearly immune from takedown. Recently, US CERT reported that Emotet incidents (and its subsequent payload droppers) are affecting state, local, tribal, and territorial (SLTT) governments at up to 1 million dollars per incident. We have captured a global view of many of the active infections within the latest Emotet botnet.
With much attention lately over North Korea and its evolving cybersecurity capabilities, we thought to cover a somewhat related topic. A couple of years back, the North Korean Red Star OS was described at the Chaos Computer Club conference. Among other things, they described the watermarking mechanism used by the OS to keep track of media files. Along with the OS, three kernel modules were identified that appeared to contain homemade encryption algorithms specific to Red Star OS.
In light of the recent news circulating about sporadic WannaCry outbreaks, namely defense contractor Boeing and earlier last month Connecticut state agencies, as well as Honda, we think it important to provide further guidance on assessing ongoing and hidden dangers related to WannaCry outbreaks. To immediately begin reducing risk and augmenting your existing security defenses, we are providing at no cost Telltale, a free version of Vantage Breach Intelligence Feed.
Last November marked the six-month anniversary of WannaCry, arguably the most impactful global cyberattack in history. The persisting WannaCry attack is a re-purposed ransomware strain amplified by (allegedly) leaked exploit code from the NSA. For previous details about the inner workings of WannaCry see our previous post. Today, the United States declared North Korea responsible for the WannaCry attacks. This post will present analytical findings and perspective into just how wide these attacks have scaled, and how very little footprint is required to sustain a global security crisis.
There are a few interesting things to say about the current ransomware Petya. One thing is clear, there is no “kill-switch”. After some preliminary tracking of the domains which presumably deliver the payload for its RTF (Windows document exploit) delivery system and cross referencing it to passive intelligence about the domain name, we noticed the frequency of 2 million hits within an hour. The domains we tracked are not currently serving the payload and are down.
WannaCrypt, aka WannaCry, has been the Infosec story of the past couple of weeks. What was originally a humble ransomware became a newly retrofitted NSA-powered worm which spread recklessly, wreaking global havoc. Fortunately, the proliferation of WannaCry came to a standstill when one of our security researchers, MalwareTech, working to collect intelligence for the Vantage Breach Intelligence Feed, registered a domain associated to the malware, ultimately triggering its “kill switch”.
Connect with Kryptos
- RDP to RCE: When Fragmentation Goes Wrong, 18 Jan, 2020
- BlueKeep (CVE 2019-0708) exploitation spotted in the wild, 03 Nov, 2019
- Emotet scales use of stolen email content for context-aware phishing, 12 Apr, 2019
- North Korean APT(?) and recent Ryuk Ransomware attacks, 10 Jan, 2019
- Emotet Awakens With New Campaign of Mass Email Exfiltration, 31 Oct, 2018