Urgences 24 sur 7 – (888) 287-5858   Connexion au Portail TitanSupport    Contactez-nous      Blogue

With our RDP interception tool, we managed to collect a great deal of information (screen, keyboard, mouse, metadata) about opportunistic attackers, and have it on video. An engineer and a crime data scientist partner to deliver an epic story, presented at BlackHat USA titled “I Watched You Roll the Die: Unparalleled RDP Monitoring Reveal Attackers’ Tradecraft” for the first time, which includes luring, understanding and characterizing attackers, allowing to collectively focus our attention on more sophisticated threats.  

 

The Remote Desktop Protocol (RDP) is a critical attack vector used by evil threat actors including ransomware groups. To study RDP attacks, we created PyRDP, an open-source RDP interception tool with unmatched screen, keyboard, mouse, clipboard and file collection capabilities. You can learn more about our tool in our previous blogs. We then built a honeynet that is composed of several RDP Windows servers exposed on the cloud. We ran them for three years and accumulated over 190 million events, including 100 hours of video footage, 470 files collected from threat actors, and more than 20,000 RDP captures. 

The data collected allowed the study of attackers’ behavior, which was used to classify attackers into different groups. The groups are presented below.

 

Digital fantasy art showcasing a DnD RangerRangers explore all the folders of the computer, check the network and host performance characteristics, run reconnaissance by clicking or by using programs/scripts. No other meaningful actions are undertaken. Our hypothesis is that they are evaluating the system they compromised so that another profile of attacker can come back later. To see a ranger in action, view a recorded session on YouTube.  

 

Digital fantasy art showcasing a DnD ThiefThieves try to monetize the RDP access. After taking control of the computer by changing the credentials to access it, they perform different activities that aim to take advantage of this access. They use tools like traffmonetizer (proxyware), monetized browsers (participating in pay to surf schemes), they install and use cryptominers, download Android emulators (mobile fraud), etc. 

 

 

Digital fantasy art showcasing a DnD BarbarianBarbarians use a large array of tools to brute-force their way into more computers. They leverage the compromised system to attempt compromising other systems by working with lists of IP addresses, usernames and passwords. Here we can see a barbarian using Masscan, a brute-forcing tool.  

 

 

Digital fantasy art showcasing a DnD WizardWizards use the RDP access as a portal to connect to another computer that was compromised in a similar fashion. This strategy is good operational security: they hide their identity via jumps over compromised hosts. To do so, they demonstrate a high level of skill by carefully living off the land. Being able to monitor and see the actions of these attackers is of utmost importance for threat intelligence gathering, enabling defenders and researchers to reach deeper into compromised infrastructure. You can see a wizard in action by following this YouTube link.  

 

Digital fantasy art showcasing a DnD BardBards are individuals with no apparent hacking skills. They access the system to accomplish basic tasks like looking for viruses through a simple Google search or to watch pornography. The evidence shows that they might have bought RDP access from someone who has compromised the system for them, aka Initial Access Brokers (IABs). 

 

Understanding and characterizing attackers allows us to collectively focus our attention on the most popular modus operandi and on the more sophisticated threats. In the next couple of months, we will detail the tools used by the different threat actors in our attackers’ weaponry blog post series. Stay tuned to learn more. 

 

Conclusion 

This presentation demonstrates the tremendous capability in RDP, not only for research benefits, but also for law enforcement and blue teams. Law enforcement could lawfully intercept the RDP environments used by ransomware groups and collect intelligence in recorded sessions for use in investigations. Blue teams for their part can consume the IOCs and roll out their own traps in order to further protect their organization, as this will give them extensive documentation of opportunistic attackers’ tradecraft. Plus, if attackers are scared enough, they will have to change their strategies, and this will influence their attacks’ cost-benefit, leading to a slow down which will ultimately benefit everyone. 

Détection et réponse gérées et étendues GoSecure TitanMC (MXDR)

Détection et réponse gérées et étendues GoSecure TitanMC (MXDR) Fondation

Gestion des vulnérabilités en tant que service GoSecure TitanMC (VMaaS)

Surveillance des événements liés aux informations de sécurité gérée GoSecure TitanMC (SIEM gérée)

Défense du périmètre gérée GoSecure TitanMC (pare-feu)

Détection et réponse des boîtes de messagerie GoSecure TitanMC (IDR)

Passerelle de messagerie sécurisée GoSecure TitanMC (SEG)

Modélisateur de menaces GoSecure TitanMC

Identity GoSecure TitanMC

Plateforme GoSecure TitanMC

Services de sécurité professionnels de GoSecure

Services de réponse aux incidents

Évaluation de la maturité de la sécurité

Services de confidentialité

Services PCI DSS

Services de piratage éthique

Opérations de sécurité

MicrosoftLogo

GoSecure MXDR pour Microsoft

Visibilité et réponse complètes au sein de votre environnement de sécurité Microsoft

CAS D'UTILISATION

Cyberrisques

Mesures de sécurité basées sur les risques

Sociétés de financement par capitaux propres

Prendre des décisions éclairées

Sécurité des données sensibles

Protéger les informations sensibles

Conformité en matière de cybersécurité

Respecter les obligations réglementaires

Cyberassurance

Une stratégie précieuse de gestion des risques

Rançongiciels

Combattre les rançongiciels grâce à une sécurité innovante

Attaques de type « zero-day »

Arrêter les exploits de type « zero-day » grâce à une protection avancée

Consolider, évoluer et prospérer

Prenez de l'avance et gagnez la course avec la Plateforme GoSecure TitanMC.

24/7 MXDR

Détection et réponse sur les terminaux GoSecure TitanMC (EDR)

Antivirus de nouvelle génération GoSecure TitanMC (NGAV)

Surveillance des événements liés aux informations de sécurité GoSecure TitanMC (SIEM)

Détection et réponse des boîtes de messagerie GoSecure TitanMC (IDR)

Intelligence GoSecure TitanMC

Notre SOC

Défense proactive, 24h/24, 7j/7

À PROPOS DE GOSECURE

GoSecure est un leader et un innovateur reconnu en matière de cybersécurité, pionnier de l'intégration de la détection des menaces au niveau des terminaux, du réseau et des courriels en un seul service de détection et réponse gérées et étendues (MXDR). Depuis plus de 20 ans, GoSecure aide ses clients à mieux comprendre leurs failles en matière de sécurité et à améliorer leurs risques organisationnels ainsi que leur maturité en matière de sécurité grâce aux solutions MXDR et aux services professionnels fournis par l'une des équipes les plus fiables et les plus compétentes de l'industrie.

CALENDRIER D’ÉVÉNEMENTS

No upcoming events.

DERNIER COMMUNIQUÉ DE PRESSE

AVIS DE SÉCURITÉ

Urgences 24 sur 7 – (888) 287-5858