Reposify Blog

Remote access channels are one of the preferred attack vectors for criminals trying to obtain access to organizations’ internal networks. Recently, various vulnerabilities in enterprise VPNs were exploited in the wild during attack campaigns by malicious actors and nation-states.

Attacks on exposed remote desktop protocols (RDP) are no news either. Such attacks have been making headlines for several years now. The attack mechanism is grossly known and various exploits are published from time to time, making the exploitation easy.

The unprecedented surge in remote work due to the COVID-19 pandemic has led to an increase in RDP usage. As a side effect of the need to provide remote access quickly and at scale, many RDPs are being misconfigured and left exposed to the internet.

At the time of writing this article, Reposify’s external attack surface management platform has detected more than 4.7 million RDPs that are exposed to the internet and are at risk of potential attacks. On some days there was 127% increase in exposed RDPs.

 When examining the organizations that own the IPs with exposed RDP endpoints, things become clearer. The vast majority of these organizations are well known cloud, virtual, or physical hosting providers where remote access to a Windows machine is a frequent necessity.

This is not surprising that most of the exposed RDPs are hosted in the cloud given the fact that IT teams have much less visibility when it comes to their cloud assets.  Users from various departments within an organization are able to set up RDP instances in the cloud without IT teams’ awareness, something which is unlikely to happen in cases of RDPs in internal networks,where there are firewalls and stricter procedures.

A chronicle of a cyber-attack foretold

It all starts with a RDP which is left exposed to the internet (typically on port 3389). It can be easily detected by hackers using online port scanners in search for unsecured RDP services. Once found, attackers can pick and choose between buying stolen RDP login credentials on darknet marketplaces, leverage an abundance of login brute-forcing tools to crack it open or using known exploits from the wild such as BlueKeep and other vulnerabilities.

Once in, the damages that attackers can cause vary based on their goals but one thing is sure, they can easily gain access to the entire internal network of the target organization.

Microsoft recently published a blog about the PARINACOTA group, which is currently active and typically brute forces its way into servers that have Remote Desktop Protocol exposed to the internet affecting between three to four organizations every week with. Last year approximately 1.5 million exposed Remote Desktop Protocol servers were attacked by a botnet named GoldBrute which also used brute-force methods.

And the cost? a steep one. In 2018, Hancock Health hospital was forced to pay over $50K in ransom to regain access to critical data that was encrypted after the hospital server running RDP services was compromised and used as an entry point into the internal network.

A recent breach-briefing report published by Beazley Group indicates that poorly secured remote desktop protocols are one of the two most common attack vectors through which ransomware is deployed, the other one being phishing emails. This finding is not surprising given the long chain of ransomware discovered in recent years using RDP as the infection vector including SAMSAM, Dharma, Matrix, Bitpaymer, Ryuk, Crysis, Nemty and the newly discovered Nefilim which seems to also be spreading mostly thought exposed RDPs. 

So when the risks are known and the stakes are high, how come so many RDPs are still left exposed to the internet?

There are many reasons which can lead to a RDP becoming exposed to the public internet. In some cases, it may become accessible deliberately as attackers manage to convince unwary users to enable the RDP so that “remote support” can be provided. A more common reason is simply due to the fact that teams fail to properly secure their RDP services against unauthorized access. Here are a few examples that represent the daily reality in the vast majority of organizations:

Misconfigurations

Firewall rules can be created to limit Remote Desktop access for specific IP addresses. However, a simple error in the firewall configuration process can result in a RDP port becoming exposed to the internet. Another example of a configuration step which is not recommended is disabling the network-level authentication. Disabling it can result in the exposure of a RDP login and the risk of becoming vulnerable to BlueKeep.

Skipping White-listing

RDP provides a quick and simple way for employees to access their desktops. Since the IP addresses of remote users change very often, many times, no white-listing of authorized users is done. In some cases, it is not feasible for IT teams to keep manually updating these frequent changes in IP addresses, especially now when most, if not all the employees are connecting from home.

Unknown RDPs

RDPs set up by employees without IT teams’ awareness are another source of unwanted exposure. If Lauren from finance just opened a Remote Desktop Protocol to set up a connection to her work endpoint, IT will most likely have no idea about it. If no GPO was configured then each and every employee could potentially do so.

6  steps for reducing the risks of an attack on RDPs

1. Ensure RDPs are not accessible from the internet. Block external connections to your servers on port 3389 on your organization's firewall.
2. Access to RDP should be available solely via a virtual private network (VPN) and not from the open internet. In addition, the VPN should be protected by multi-factor authentication and users should be encouraged to use complex passwords to reduce the chance of successful brute-force attacks.
3. Apply IP geolocation blocking on your VPNs gateways. IP addresses white-listing, can be added for specific admin users that are allowed to connect via RDP.
4. Enable Network Level Authentication (NLA).
5. If possible, consider placing RDP servers behind a DMZ or other restricted area of the network and limit the number of services which can be reached within the internal network.
6. Change GPOs to define shorter timeouts sessions and the maximum amount of time any single session can be active.

RDP is a useful tool, especially now when the demand for remote access is higher than ever before, but too many organizations are leaving RDP exposed to the internet, making it susceptible to exploitation by malicious actors. It is crucial for organizations to gain visibility into which RDP servers they have running across all environments and whether they comply with the security guidelines.

Want to make sure you have complete visibility of all your organization’s RDPs? Sign up for a free reposify account and get instant visibility into all internet facing assets which are currently exposed. Discover exposed RDPs, unpatched vulnerable VPNs, exposed QA & Dev environments and many more uknonw risks.

Check your exposures now, it's free.

In these days of uncertainty, while many, if not most of us are at home trying to balance working remotely and family life, DevOps, IT & security teams are doubling down on their efforts to provide the technical support needed to ensure business continuity. The task at hand presents a unique challenge which for many organizations is uncharted. 

One of the topics that is currently on every IT team's to-do list is ensuring VPNs are running smoothly and connectivity is scaled up to match the heightened traffic and access requests.  Enterprise VPNs are important as they allow users a secure remote connection into the organization’s internal network thus extending the private network across a public one. In essence, VPNs protect corporate assets and sensitive data from internet exposure, making sure that anyone intercepting the encrypted data will not be able to read it.

 

VPNs are and should be exposed to the internet, but what happens if they themselves become vulnerable? 

If a VPN server is compromised, attackers can easily infiltrate a company’s intranet and carry out a range of activities such as obtaining access to logs and files and executing malicious codes on the network among others. As a result, Enterprise VPN servers are lucrative targets that hackers are going after, and especially now, when so many users are depending on the ability to connect remotely in order to continue performing their work.

 

How easy is it to find exposed vulnerable VPNs on the internet? 

Exposed VPNs can be found with just a few clicks. Attackers use internet scanners to discover VPN servers that run on a vulnerable software version. Once detected, they leverage known vulnerabilities and off the shelf proof-of-concept codes that can be found online. Reposify’s internet scanners detected millions of VPNs servers currently exposed to the internet, of which thousands are unpatched and vulnerable.

 

What kind of VPN vulnerabilities exist out there?

Recently, multiple CVEs were released for several widely used VPN servers. In 2019 and 2020 there were several attacks in which these VPN vulnerabilities were exploited to infiltrate and plant backdoors in companies all over the world. These known vulnerabilities allow an attacker to login into the intranet and retrieve files , logs and cached passwords,  shut down the MFA and could allow remote code execution on the clients connecting to the compromised VPN server.

 

Here is a shortlist of the most recent CVE’s that were released for common VPN types:

Pulse Connect Secure:

• CVE-2019-11510: Pre-auth arbitrary file reading
• CVE-2019-11539: Post-auth command injection

Fortinet:

• CVE-2018-13379: Pre-auth arbitrary file reading
• CVE-2018-13382: Allows an unauthenticated attacker to change the password of an SSL VPN web portal user.
• CVE-2018-13383: Post-auth heap overflow. This allows an attacker to gain a shell running on the router.

Palo Alto Networks GlobalProtect Portal

• CVE-2019-1579:  Unauthenticated remote attacker to execute arbitrary code.

Citrix NetScaler:

• CVE-2019-19781: Directory Path Traversal leads to RCE

SonicWall VPN: (SonicWall SRA and SMA VPN servers)

• CVE-2019-7481: Blind SQL injection vulnerability which can be exploited remotely.
• CVE-2019-7482: Execute arbitrary commands with nobody privileges on the device.
• CVE-2019-7483: Pre-authentication vulnerability.

How to reduce exposures and vulnerabilities in your VPNs?

The Cybersecurity and Infrastructure Security Agency (CISA) has released several mitigation steps that teams can follow in order to improve their VPNs security: 

1. Ensure the latest software patches are installed on all your VPNs, network infrastructure devices, and other devices being used to remotely access work environments.  
2. If during this review process, you discovered a VPN server that wasn't patched immediately after the release of a CVE, it is recommended to scan your entire internal network for any signs of compromise.
3. If you suspect a VPN server was compromised, reset your authentication credentials associated with the affected VPN and accounts connecting through it.
4. Implement multi-factor authentication (MFA) on all VPN connections to avoid brute force attacks against the login panel. If MFA cannot be implemented, encourage employees to use strong passwords. 
5. Ensure IT security personnel test VPN limitations to prepare for mass usage and, if possible, implement modifications—such as rate limiting—to prioritize users that will require higher bandwidths.
6. Prepare for the need to ramp up the following remote access security tasks: log review, attack detection, and incident response and recovery.

 

 

 

Telegram, the cloud-based instant messaging and voice over IP app, launched in 2013, has over 200 million monthly active users worldwide. The app, which prides itself on delivering enhanced security capabilities including private end-to-end encrypted chats, was quickly adopted for both peer to peer as well as business communication. However, this popular messaging app also has a dark side. Cyber criminals use this as a go-to-market channel for a wide range of shady and illegal activities.

Reposify’s research team discovered that approximately 50% of the Telegram accounts in their data set abused the platform in one way or another.

WHY CRIMINALS LOVE TELEGRAM?

There are 4 main capabilities that make Telegram the preferred alternative to the DarkNet.

1. Messaging Encryption - Complete Anonymity:

Telegram’s private end-to-end encrypted chats allow any user to send and receive notifications and shady offers instantly, while keeping their identity hidden. Telegram is a safe haven for criminal activities when compared to the exposed threads that are seen on criminal web forums on the dark web (which can be taken down by the authorities at any moment). Criminals feel at ease to connect, advertise their offering and share knowledge and compromised information. Illegal trade and hacking are just some examples of the activities that take place on Telegram’s channels and groups.

Entering the Dark Web via the TOR platform requires several steps to ensure an anonymous connection. With Telegram, anyone can search and join channels and groups with just a click of a button and start promoting illegal activities such as selling drugs and stolen credit cards. In addition, Telegram allows users to share files of nearly any type. We found malicious use of that feature by Telegram C2 servers that contained ZIP files with the stolen data from the victim's computer.

3. Bots and Cyber Crime Automation

Telegram bots are a new popular feature allowing third-party apps to run within the platform. Bots enhance the messaging experience and can be set up to carry out specific tasks. Legitimate uses of Telegram bots include automatic file converters, daily weather or horoscope notifications and more. Criminals were quick to leverage these bots for less legitimate purposes and stepped up their game by automating criminal activities while remaining invisible.

4. Fewer Security Concerns

Using Telegram, criminals have less security challenges to worry about since there is no need to register a host and domain or hide from search engines. This eliminates concerns relating to typical security issues that may impact a website such as DDoS style attacks as well as the need to use different methods to hide their website from the authorities.

In our research, we found Telegram Bots that leveraged the app to perform various malicious functions, ranging from command and control servers to bots that “helped” users order tailored escort services.

WHAT TYPE OF CRIMINAL ACTIVITIES GOES ON TELEGRAM?

Terror-related propaganda, fraudulent activities, illicit trade, and cyber crime are just some of the many examples of criminal activities that are taking place via this messaging app.

One specific example is the Masad Stealer malware which is sold as an off-the-shelf solution for cyber crime. This stealer malware is capable of stealing browser data, including saved credentials, login forms, and credit card information. It uses Telegram as a C2 server which leverages Telegram’s Bot API for sending commands and communication. The Masad Stealer sends all of the information it collects and is also able to receive commands from a Telegram bot controlled by the attacker.

How Malware Uses Telegram as C2

The following screenshot shows the malicious network traffic between the malware and the Telegram C2 server that we captured (using Burp):

Malware that uses Telegram as a C2 server uses the Telegram Bot API for sending commands and communication. The following link is an example of the BOT API request that used by malware in the wild: https://api.telegram.org/bot[API_KEY]:[API_HASH]/getMe

As you can see the above request contains the BOT API token which is built from API Key and API Hash and there is also getMe function (highlighted in blue).

The malware is using the getMe function to verify that the command and control server is up and ready to get the stolen data from the victim’s computer. If it is up, the “200 OK” response from the C2 will contain the BOT details (bot id, first name and, username):

 

Once the malware made sure that the C2 is up, it will use the send document Telegram BOT API function to send a ZIP file with the stolen data from the victim’s computer.

How we used Reposify’s proprietary IoT search engine and Yara Rules to hunt for malicious Telegram accounts on the internet

At the core of Reposify’s platform is our ability to scan the entire internet continuously for public IP addresses and automatically identify and classify all services and platforms that are scattered across the web. While we usually use this proprietary technology to help organizations discover, manage and secure their External Attack Surface, we decided to put it to work for additional good causes.

Our head of research, Asaf Aprozper, developed several sophisticated Yara Rules and combined it with Reposify’s internet scanning capabilities to hunt for malicious Telegram accounts on the global web.

Our process included 3 steps, which we will proceed to describe in detail;

Step 1: Creating Yara Rules

Yara Rule #1: Capture Telegram’s Web Page account.

Our task was to write a rule that will enable us to capture Telegram accounts’ web pages. In order to create it, we analyzed the source code of a Telegram web page account. In our research, we found that 

the HTML source code of the “Send Message” button contains the account’s username. By using this we were able to capture the usernames of the Telegram accounts’ web pages.

 

In the case, illustrated in the image to the right, the name of the Telegram account was “ReposifyBot”. This is a snippet of the HTML source code of the above “Send Message” button: <a class="tgme_action_button_new" href="tg://resolve?domain=ReposifyBot">Send Message</a>

Here is how this first Yara rule looks like: (You can find the rule on Github here)

Yara Rule #2: Capture Telegram Links

In addition to capturing Telegram web pages, we wanted to go one step further and hunt for Telegram links as well. Links to malicious Telegram accounts are often shared via legitimate social media apps (e.g YouTube) making it easy, on the one hand, to find but on the other hand, difficult to distinguish from legitimate accounts. This is an example of a link structure for joining a Telegram account: https://t.me/Username

Here is how this second Yara rule looks like: (You can find the rule on Github here)

 

Step 2: Scanning The Internet With Reposify’s Proprietary Scanning Technology

Once we had these 2 rules written, we executed them on Reposify’s database. Within just a few minutes we came up with an extensive list of Telegram accounts.

Step 3: Let The Hunt Begin

Once the list of accounts was ready, we needed to find a way to categorize the accounts and distinguish between real user accounts vs bots and group/channels accounts. To accomplish this we used Telethon and a list of suspicious identifiers. Telethon is a Python 3 library used to interact with Telegram's API as a user or through a bot account.

To compile a list of suspicious identifiers, we used malicious Telegram’s C2 servers that we found in the wild (including open-source frameworks) as well as predefined cyber crime keywords.

The following screenshot is the list of the suspicious identifiers we used. As you can see it contains multiple languages including Arabic, Persian, English and Russian.

 

Based on the above identifiers we created a PoC code and started hunting for malicious Telegram accounts using Telethon and the following logic:

As seen in the chart above, whenever a group or a channel were identified, we leveraged Telethon again to iterate through their entire message history and captured those which matched the suspicious identifiers we defined earlier.

If an account was identified as a bot, we utilized Telethon to automatically send message-commands such as “/start” and “/help”, waited 30 seconds for the output response, analyzed it and captured those which matched for one of the malicious identifiers in their response. When our PoC detected a regular user we skipped it and moved to the next username on the list.

RepoTele

The following is a screenshot of our PoC tool in action. We started by connecting with a Telegram API (that we defined in a CSV config file earlier) and continued with our above diagram. Get the tool here.

Matches

By using this process, we hunted various malicious Telegram bots, groups, and channels such as malicious command and control servers as well as a bot that “helped” users order tailored escort services. We also found black market channels and “closed” hacking groups. Once the hunt was completed we reported to Telegram on all the abusive accounts.

Here are a couple of screenshots of criminal accounts that we hunted and reported.

How Can Organizations Stay Safe on Telegram?

In order to protect your organization from attackers that use Telegram as a C2 channel and find its way out of your network, Reposify’s team recommends blocking the “api.telegram.org” on your firewall or in your other network security systems. This will prevent the victim’s stolen data from reaching the attacker’s Telegram C2 server.

This is it for part one. Stay tuned for part two on how we hunted exposed and malicious Telegram APIs using Reposify and Yara Rules.

Quick Tip - How to overcome Telegram API’s limit

One of the obstacles we ran into during our research is Telegram API’s limit.

 

 

In the last 48 hours we’ve read many publications about WanaCrypt0r which is spreading around the world massively, many malware mutations already use CVE-2017-0143 to their infection mechanism without the kill-switch limitation WannaCrypt0r had.

We’ve decided to provide a live map with infected hosts, if you want to access our data to protect your customers, drop a note.

We are monitoring more than 8.5 million computers with exposed SMB, currently 50K are vulnerable and may be infected in the next hours.