ransomware attack

[Marcos 5,074]

Quote

Eset wasn't "deactivated by an attacker" as such in my case, EEA appears to have been deactivated by the malware

Without logs proving or denying that one can't tell. What can I tell is that ESET is protected by self-defense so malware cannot disable ESET without person's intervention. Basically all cases with ransowmare encryption that I've come across were caused by an attacker logging in and pausing or uninstalling ESET prior to running ransomware. That said, it in first place it's important to secure RDP, then set up a password to protect ESET's settings and enable detection of potentially unsafe applications to prevent possible attackers from running tools that could disable security programs.

[Marcos 5,074]

Just came across a case when a user was hit by Filecoder.Phobos and asked how come they got infected with ESET installed. After analyzing logs, we found out that:

- the detection for the ransomware was added at least 2 months before the incident
- password protection of ESET's settings was not enabled
- detection of potentially unsafe applications was disabled

We also found out that:
1, A brute-force RDP attack was performed:
- Administrator had 22 377 failed login attempts
- ADMINISTRATOR had 5 438 failed login attempts
- ADMINISTRADOR had 1 102 failed login attempts
- ADMIN had 710 failed login attempts
2, There was a suspicious RDP connection from a foreign country
3, A local user GhostUser has been created recently
4, A legitimate tool that can be misused to kill security software has been installed recently (detected as pot. unsafe application)
5, Event logs have been recently cleared.

This is a proof that just having a security software installed is not enough; firstly RDP must be secured. Secondly, all critical operating system updates must be installed. Fourthly, ESET must be protected with a password and detection of potentially unsafe applications enabled to prevent protection from being tampered by unauthorized persons.

[roga 0]

26 minutes ago, Marcos said:

This is a proof that just having a security software installed is not enough; firstly RDP must be secured. Secondly, all critical operating system updates must be installed. Fourthly, ESET must be protected with a password and detection of potentially unsafe applications enabled to prevent protection from being tampered by unauthorized persons.

Thanks @Marcos that's helpful. Only thing I hadn't done with ESET is to set a password to protect settings.

A couple of other things I might do in future:
1) Rename the domain admin account
2) Disable local admin accounts on servers and workstations

Also noted remark from @itman re limiting amount of logons before lock out

All of these disasters are a learning experience

Roga

[Nightowl 202]

19 minutes ago, roga said:

Thanks @Marcos that's helpful. Only thing I hadn't done with ESET is to set a password to protect settings.

A couple of other things I might do in future:
1) Rename the domain admin account
2) Disable local admin accounts on servers and workstations

Also noted remark from @itman re limiting amount of logons before lock out

All of these disasters are a learning experience

Roga

Usually it helps to disable the "Administrator" account and make another one with another name other than Administrator .. maybe something like spiderman

[itman 1,659]

2 hours ago, roga said:

Also noted remark from @itman re limiting amount of logons before lock out

See this posting on how this can be done using Group Policy: https://forum.eset.com/topic/20215-ransomeware-adage/?do=findComment&comment=98416 . This will provide an account unlock after 5 mins. thereby providing the least user non-use impact while at the same time defeating most RDP brute force attacks.

[itman 1,659]

9 hours ago, Marcos said:

Because of continual trolling despite giving numerous warnings and complaints from other users, we'll ban Novice as of now.

I for one feel this should be a permanent ban.

His postings were always about either Eset's scores in AV lab tests or "chiming in" on an Eset non-malware detection issue prior to supporting documentation being provided as to the system environment existing at the time of the attack. I can't recollect a single non-negative posting by him where he actually attempted to assist in a problem resolution issue.

What I have observed is a troll that has purchased an Eset license under the belief it will and should allow him to engage in never ending trolling activities on this forum. Or, he is an individual with some deep seated grudge against Eset and is compelled to constantly vent his anger in ludicrous forum postings.

Edited August 8, 2019 by itman

[TomFace 539]

3 hours ago, itman said:

I for one feel this should be a permanent ban.

His postings were always about either Eset's scores in AV lab tests or "chiming in" on an Eset non-malware detection issue prior to supporting documentation being provided as to the system environment existing at the time of the attack. I can't recollect a single non-negative posting by him where he actually attempted to assist in a problem resolution issue.

What I have observed is a troll that has purchased an Eset license under the belief it will and should allow him to engage in never ending trolling activities on this forum. Or, he is an individual with some deep seated grudge against Eset and is compelled to constantly vent his anger in ludicrous forum postings.

I have faith in Marcos' actions/abilities/judgement. Will this be the last we hear of novice? Probably not...at least under that moniker.

Regards,

Tom

**************************************************************

I like this quote...

"Trolling is a cyber-crime, and if you are caught for it, you cannot run away by saying that it is your opinion" ... Nora Fatehi
 

Edited August 8, 2019 by TomFace

[itman 1,659]

1 hour ago, TomFace said:

I have faith in Marcos' actions/abilities/judgement. Will this be the last we hear of novice? Probably not...at least under that moniker.

Yes. Expect the return of @Claudiu. Appears he hasn't has been banned; why I don't know.

Edited August 8, 2019 by itman

[itman 1,659]

10 hours ago, roga said:

Eset wasn't "deactivated by an attacker" as such in my case, EEA appears to have been deactivated by the malware

Here's Eset EEA protections: https://help.eset.com/era_admin/65/en-US/fs_agent_deploy_password_protection.html

How about the attacker initiated a repair? When that was running, I assume the network endpoints are vulnerable? Make sure EEA is also password protected?

[itman 1,659]

Microsoft Ignored RDP Vulnerability Until it Affected Hyper-V

Quote

A vulnerability in Microsoft's Remote Desktop Protocol (RDP) can also be used to escape virtual machines running on Hyper-V, the virtualization technology in Azure and Windows 10.

The bug is a path traversal that leads to remote execution and was reported to Microsoft almost a year ago as affecting only RDP and remained unpatched until recently, when it was discovered that it impacts Microsoft's Hyper-V product.

Initially, Microsoft validated the finding but dismissed a fix motivating that it did "not meet our bar for servicing."

https://www.bleepingcomputer.com/news/security/microsoft-ignored-rdp-vulnerability-until-it-affected-hyper-v/

Edited August 8, 2019 by itman