Skip to main content

Posts

Showing posts from January, 2022

Inside a Compromised RDP Server - Bruteforcing Leads to LockBit Ransomware

As people trend towards remote work, IT departments have an ongoing need to provide remote services to end users. Without the use of traditional VPNs, technologies like Remote Desktop, Citrix and VMware are commonly used for remote access. However, they are not always configured in secure ways.  During the height of the pandemic, we setup two servers with Remote Desktop exposed to the Internet and created user "hello" with no password. Obviously, this is not a smart idea, but it does demonstrate what can happen when you have unsecured assets that are available directly on the Internet.  Scenario 1: Network Scanner Resulting in Abuse Complaint A scanning tool was used to scan for other servers listing on port 3389, which resulted in a complaint from Hetzner Online GmbH. The complaint was as follows: Figure 1: Abuse Complaint Received It is good that Hetzner has automated monitoring systems that will send abuse complaints automatically and one step in the right direction to...

Search Update: Support for Defanged IPs

More frequently, we find a need to Fang IP addresses before they can be searched on the site. For those not familiar with the term, check out  IOC Fang: Indicator of Compromise (De)Fanging Project . Here's an easy way to think of it, something with fangs could have a negative impact (e.g. inadvertently clicking a link), versus something that is defanged would not have a negative impact if clicked. A quick breakdown of the concept is as follows: Fanging: 195.54.160[.]149 -> 195.54.160.149 Defanging: 195.54.160.149 -> 195.54.160[.]149 On our backend, indicators are stored in a Fanged format. However, since users will come across indicators on various platforms, there is no guarantee on whether or not the indicator will be Fanged or Defanged. Therefore we have enabled searching for Defanged IP addresses that use square brackets  natively from our homepage.  Please note, the bulksearch and API based lookup methods still only support Fanged IP addresses at the time....