BotNet

[Alexander_Kaz 0]

Good day. For a month now, every minute such messages arrive at the admin center. Is there a way to cure this?

[Marcos 5,070]

Unfortunately the columns are too narrow to display the whole record. Most likely the machine is under RDP brute-force attacks. We recommend security RDP, e.g. by using VPN for connections from outside and using RDP only within LAN. If that's not an option, use 2FA for RDP login, set up the account lockout policy, restrict RDP access to specific IP addresses or IP range/subnet on a firewall.

[Alexander_Kaz 0]

14 minutes ago, Marcos said:

Unfortunately the columns are too narrow to display the whole record. Most likely the machine is under RDP brute-force attacks. We recommend security RDP, e.g. by using VPN for connections from outside and using RDP only within LAN. If that's not an option, use 2FA for RDP login, set up the account lockout policy, restrict RDP access to specific IP addresses or IP range/subnet on a firewall.

Yes, this attack by RDP.  Is there any way to find this worm? because he probably is in the system. Or is it just messages and the attack is interrupted?

 

[Marcos 5,070]

Attackers from outside perform brute-force attacks on the machine. The attacks were blocked by ESET. However, we'd recommend taking the appropriate measures as soon as possible and not give the attackers a chance to guess the right password.

[Alexander_Kaz 0]

3 minutes ago, Marcos said:

Attackers from outside perform brute-force attacks on the machine. The attacks were blocked by ESET. However, we'd recommend taking the appropriate measures as soon as possible and not give the attackers a chance to guess the right password.

Of course, the password has been changed. Also port 3389 was replaced with another. This is enough for a while. Then again messages appear that the attack is on and is already on the new port.

[Marcos 5,070]

Changing the default port and password is not enough to prevent attackers from guessing the password unless the password is complex enough.

[K.O. 0]

Quick question. Do you have a more in depth explanation about how these RDP brute forces are handled? We're seeing them as well and ESET reports them as 'blocked'. However, the same IPs keep popping up. How does the blocking mechanism work?

Thanks in advance!

[Marcos 5,070]

I recall that a particular IP address is temporarily blocked for 1 one or until a computer restart. You should block RDP on the gateway, not on workstations.

[Nightowl 202]

1 hour ago, K.O. said:

Quick question. Do you have a more in depth explanation about how these RDP brute forces are handled? We're seeing them as well and ESET reports them as 'blocked'. However, the same IPs keep popping up. How does the blocking mechanism work?

Thanks in advance!

Allow RDP only to specific IP Addresses and then the attempts should stop , because he won't be able to connect again because of your firewall , you can also edit the group policy for account lockout , and make harder password so it will be harder to bruteforce or will take very long time to.

Or as Marcos said , VPN to the network and RDP set to LAN only.

[Aryeh Goretsky 378]

Hello,

ESET has published several articles about the BlueKeep (CVE-2019-0708) vulnerability, which an exploit targeting RDP on older/unpatched versions of Windows.  You can read them on ESET's WeLiveSecurity blog at:

• https://www.welivesecurity.com/2019/11/11/first-bluekeep-attacks-fresh-warnings/
• https://www.welivesecurity.com/2019/08/15/microsoft-warning-wormable-flaws/
• https://www.welivesecurity.com/2019/07/17/bluekeep-patching-progress/
• https://www.welivesecurity.com/2019/06/06/nsa-urging-users-patch-bluekeep/
• https://www.welivesecurity.com/2019/05/22/patch-now-bluekeep-vulnerability/

We may have some additional articles about RDP security in the future (depending, of course, on what happens in the future with things like BlueKeep).

Regards.

Aryeh Goretsky