itman 1,659 Posted December 20, 2019 Share Posted December 20, 2019 (edited) Quote Threat actors breaching company networks are deploying a cornucopia of malware over the remote desktop protocol (RDP), without leaving a trace on target hosts. Cryptocurrency miners, info-stealers, and ransomware are executed in RAM using a remote connection, which also serves for exfiltrating useful information from compromised machines. Exploiting Windows RDS features The attackers leveraged a feature in Windows Remote Desktop Services that allows a client to share local drives to a Terminal Server with read and write permissions. These drives appear on the server as a share on a virtual network location called 'tsclient' followed by the letter of the drive and can be mapped locally. The feature has been around for a long time, and properly explained what happens when a user connects to the server and runs an application. Access to the resources shared this way is possible through RDP and no trace is left on the client machine's disk as applications execute in memory. When an RDP session terminates, so do associated processes and memory is typically released. https://www.bleepingcomputer.com/news/security/windows-remote-desktop-services-used-for-fileless-malware-attacks/ Toward the end of the article is the following "tidbit" that brute force attacks are only one of many ways local access can be gained: Quote Original point of compromise From their findings, the researchers could not work out how the attacker gained access to the network in the first place or how they managed to plant 'worker.exe' on the 'tsclient' share. Also a mystery is how the adversary got valid RDP credentials to access a victim host; bruteforcing being is one possibility. It is important to note that professional network intruders that break into the digital perimeter of a company often advertise their access on underground forums. Cybercriminals interested in any of the targets can pay between a few hundred USD to thousands and more for access, or to have their malware dropped. This is a typical scenario for ransomware affiliates who many times partner with such access-as-a-service providers to get to large targets that can be asked to pay a higher ransom to have their files decrypted. Edited December 20, 2019 by itman Link to comment Share on other sites More sharing options...
Recommended Posts