Monthly Archives: September 2016
Worldwide “Crysis†Through Remote Desktop Protocol
Two weeks ago we saw a ransomware attack in a server belonging to a French company. It was a Crysis variant, a ransomware family that appeared earlier this year. We witness thousands of infection attempts by ransomware on a daily basis, but this one caught our attention as the file somehow showed up in the computer when no one was supposed to be using it and in fact, there were no email clients or Internet browsers running there.
How did it get into the computer?
Why did the security measures in place allow this file into the server? That’s what we wanted to find out, and so we began an investigation. It turns out that this server is running Remote Desktop Protocol (RDP) and these cybercriminals used a brute force attack until they could guess the credentials to obtain remote access.
Back to the story—as most users do not have 2FA enabled and the passwords are not that complex nor random, it is pretty easy to get into a server using this kind of brute-force attack, a good dictionary or with the most common combinations. This is not a new technique. More than a year ago, I remember one wave that hit Spanish companies with ransomware using the exact same technique. Cybercriminals usually perform these attacks at night or during weekends, when there are few people in the office, or none at all.
Cybercriminals get into a server using this kind of brute force attack, a good dictionary or with the most common combinations.
In this case, the attack to the server started on May 16th, where they performed 700 login attempts. These were performed automatically, usually for a period of two hours approximately. Most of these attacks have been happening from 1am to 3am, or from 3am to 5am. Each and every day. The number of login attempts changes, for example on May 18th there were 1,976 while on July 1st there were 1,342.
After almost four months and more than 100,000 login attempts, the attackers were finally able to get into the server and drop the Crysis ransomware.
This is a Worldwide Crysis
This week our colleagues from Trend Micro published an article that warned us about similar attacks happening in Australia and New Zealand that deploy Crysis variants. Unfortunately, we can say that those are not the only countries—this is happening at a worldwide level (at least since May).
Assuming you need to have RDP running and connected to the Internet, apart from monitoring connection attempts so you can learn that you are under attack, you should also enforce complex passwords. The best approach would be to implement 2FA, such as SMS passcode, so guessing passwords becomes useless.
We’ll continue to keep you informed with our Tales from Ransomwhere series!
The post Worldwide “Crysis” Through Remote Desktop Protocol appeared first on Panda Security Mediacenter.
Yahoo Confirms 500 Million Accounts Were Hacked by 'State Sponsored' Hackers
500 million accounts — that’s half a Billion users!
That’s how many Yahoo accounts were compromised in a massive data breach dating back to 2014 by what was believed to be a “state sponsored” hacking group.
<!– adsense –>
Over a month ago, a hacker was found to be selling login information related to 200 million Yahoo accounts on the Dark Web, although Yahoo acknowledged that the breach was
Oktoberfest: Updates in a Mass or through a straw?
You’d rather not heft a one-liter mug to get your favorite beverage. What about security updates for your device?
The post Oktoberfest: Updates in a Mass or through a straw? appeared first on Avira Blog.
Bugtraq: [security bulletin] HPSBHF03646 rev.1 – HPE Comware 7 (CW7) Network Products running NTP, Multiple Remote Vulnerabilities
[security bulletin] HPSBHF03646 rev.1 – HPE Comware 7 (CW7) Network Products running NTP, Multiple Remote Vulnerabilities
Bugtraq: IE11 is not following CORS specification for local files
IE11 is not following CORS specification for local files
Bugtraq: Fwd: BT Wifi Extenders – Cross Site Scripting leading to disclosure of PSK
Fwd: BT Wifi Extenders – Cross Site Scripting leading to disclosure of PSK
Bugtraq: [SECURITY] [DSA 3673-1] openssl security update
[SECURITY] [DSA 3673-1] openssl security update
RHEA-2016:1930-1: new packages: kmod-mpt3sas
Red Hat Enterprise Linux: New kmod-mpt3sas packages are now available for Red Hat Enterprise Linux 7.
RHBA-2016:1914-1: gluster-smb bug fix update
Red Hat Enterprise Linux: Updated Samba package that adds one enhancement is now available for Red
Hat Gluster Storage 3.1.