I recently stood up a RDP honeypot consisting of a Windows VM with Wazuh and Sysmon. SecurityOnion is setup to monitor traffic to/from the internet for the honeypot. A UTM device is sitting between the honeypot and the internet to block ports, applications and proxy all traffic. I haven’t setup ssl decryption yet but I’m hoping to do that soon. I also started creating a set of Wazuh rules to add additional detection’s, which can be found here. Using Wazuh, I am able to bring in Sysmon and security event logs into an ELK stack to get numbers on login failures and login successes and a lot more.
In the past, we have seen threat actors brute force RDP credentials in Azure or AWS and then spread ransomware throughout their environment, sometimes affecting on-premises workloads. Using the information from Wazuh, I created a list of IP Addresses that have tried to login to my honeypot at least three times in 48 hours. I figure this list could help protect against a misconfigurations or if there is a requirement to put RDP on the internet. The list of RDP brute forcers can be found here. This list is updated every hour and the IPs in the list have a TTL of 48 hours. Now to the successful authentication(s)…
The First Attacker
I set an easy password for the honeypot hoping I would catch someone logging in and dropping tools or sharing TTPs. After a few days of the RDP honeypot being online I finally saw the first successful authentication, coming from the Netherlands. The attacker dropped a set of tools, and started configuring them, but not before, running a batch script to do a bunch of bad stuff such as: disable Task Manager, disable AV and logging, create an account; and finishing, by removing the batch script. Unfortunately, I was not able to recover the batch file. Here are a couple of the tools that were dropped:
NLBrute
NLBrute is a well-known RDP brute force application that has been sold on forums for years. In this particular case, the attacker dropped version 1.2, which is a very popular cracked version of NLBrute. NLBrute can brute force over 500 IPs at the same time and handle speeds of up to 5 Mbps+, supports non-standard ports, runs on XP and later, support for blank passwords, can minimize to tray, runs passwords and usernames from .txt files and can automatically detect the associated domain. NLBrute can be found on many Russian forums, as well as here. According to VirusTotal, this file was created and first submitted in 2016 and currently has a score of 56/69.
NLBrute has been seen in many ransomware attacks. The attackers break into an organization with a tool like NLBrute and then sell the beachhead to someone else or use their access to spread ransomware or steal data. Here are a few stories related to NLBrute – Sophos Bleepingcomputer SCMagazine SecurityWeek
RDP Recognizer
RDP Recognizer was renamed to svchost. The product name is Penetration test tool.
RDP Recognizer is another tool for RDP bruteforcing. The version that was dropped by this attacker is rather old, newer versions are 2.2+. This tool was not yet configured, whereas NLBrute was setup and ready to go. I assume this was probably a backup tool in-case NLBrute randomly didn’t work. According to VirustTotal, the file was created in 2016 and first submitted 9/28/19. As of 10/6/19, VT currently has 3/70 engines detecting this file.
Masscan
Massscan is an “Internet-scale port scanner,” according to the Massscan GitHub page. Masscan is an extremely fast port scanner; it can scan the entire internet in under 5 minutes. I’m not surprising that an attacker would use Masscan to scan a ton of IPs, to check to see if RDP is listening, and then pass it onto one of the above two programs. Although, I am surprised to find a Masscan GUI, yes, a GUI for Masscan.
The Masscan GUI application was named winupdate.exe and according to VT was created 7/8/19 and first submitted on 7/8/19. The Copyright tag states , which refers to a user on at least one Russian forum. Masscan was configured to write it’s findings to an output file locally, which would then pass to the NLBrute servers file, which includes a list of IPs to brute force.
The Massscan GUI received a detection rate of 43/69. After doing a quick search I was able to locate the creator of this GUI, . The link to the Masscan GUI posting can be found here.
Summary
Is it safe to access RDP over the internet? No. There are plenty of bots trying to brute force RDP servers 24-7 and eventually they will get in. If you must access RDP over the internet please use two factor authentication such as DUO to access your system. Please realize that there are remote code execution vulnerabilities in RDP, including BlueKeep, as well as the last couple MS patch cycles. These are the vulnerabilities we know about and my assumption is that there are plenty we do not know about.
If you need to use RDP, you should VPN back to the network that system is on, and then RDP to it. This decreases the attack surface by only allowing connections from your local network. You can take it a step further, by configuring the OS firewall to only allow connections from your VPN and admin IP ranges. If you must put RDP on the internet or want to proactively block RDP brute forcers use this list as a blocklist in your IPS or firewall.
Well, this was fun and since starting this blog post I’ve had a few other intrusions that look to be fun, more to come!
IOCs
Source IP 185.181.61.40
net localgroup administrators /add
net user administrater Abcd1234! /add
wevtutil.exe cl %one log file at a time% – possibly used this
Hashes