Here’s another example of threat actors brute forcing RDP to install ransomware, this time the brute forced system was not using the default RDP port. The threat actors installed ransomware on two machines including a Domain Controller in ~17 minutes.
We saw a Tweet the other day that said “just change RDP to another port and you’re safe”. We couldn’t disagree more…
Timeline of Events (UTC)
7:00 RDP login from 220.127.116.11
7:01 Opens Task Manager (usually to see who else is logged in)
7:03 Drops/runs Network Scanner
7:08 RDPs into a Domain Controller (DC)
7:10 DC – Opens Task Manager
7:10 DC – Drops/runs Network Scanner
7:13 DC – Drops Harma ransomware on the desktop and then runs it
7:17 entry point – Drops Harma ransomware on the desktop and then runs it
Harma is a variant of Dharma (CrySiS) which we wrote about here. There are many similarities between the two including a common pdb path.
The ransom notes also look similar.
Changing the RDP port will not stop threat actors. We consistently get scanned for the RDP protocol on almost every port we open. If you must use RDP over the internet make sure default accounts are disabled and you are using MFA. With that said, we still recommend using VPN or a front end such as VMware View or Citrix Workspace with MFA.
MISP Priv 69099/21ce5f26-43bb-4971-a02d-59b563c4e3ca
RDP login from 18.104.22.168
BPY6A7_payload.exe|56452e0839ef830c904182992aa11691 e94e21979565c2372fc2745f18eec3c64d9cc2da 23a3dfe1493dcda00a3d9a00210793553b629bd77f30c39974c8e1ab0ea51c6f
Persistence – C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\BPY6A7_payload.exe
External Remote Services - T1133
Network Share Discovery - T1135
Data Encrypted for Impact - T1486
Valid Accounts - T1078
Internal case 1001