Please login to post or view tickets

 
RSS Feed
News
Apr
19
SECURITY ADVISORY - RDP Attack Directed at our Network [UPDATE]
Posted by Barry Bahrami on 19 April 2018 11:07 AM
 
[CNS Logon]
 
RE: SECURITY ADVISORY - RDP Attack Directed at our Network [UPDATE]

We have had significant success in fending off this cyberattack.  Please help us protect your VM by installing security  updates and re-randomizing the RDP port in your VM when possible. 

Systems Affected
  • All Windows servers & desktops
Details

CNS began receiving abusive traffic earlier this month, which included attacks on subscriber servers through the randomized RDP port.  Besides a severe drain of resources from the targeted servers, the obvious concern was how did anyone obtain randomized RDP port information?  We immediately began to search for answers and notified you of the attack so you could make sure your server was protected.

We have identified a botnet consisting of nearly 1000 IP addresses working together to continuously scan the network without any one IP address probing too often.  This allowed it to evade automated filters and find ports to target.  After obtaining the (encrypted) RDP port, they then proceeded to brute force attack the server and/or attempt entry through unpatched vulnerabilities.  We have blackholed this botnet and have developed new methods to identify and stop these types of threats before they reach your CNS service.   We are continuing to analyze traffic patterns in order to identify new threats and we are also attempting to work with the respective ISP's to dismantle it completely.


This event is a reminder to always keep your server up to date with the latest security related patches.  A strong password is also ideal.  Please consider installing free two-factor authentication.  To date, we have never seen a 2FA protected service hacked.  It is an excellent way to protect your data.

We have seen only one server hacked during this event.  It had a VERY weak password and was not protected by two-factor authentication.  Please - at a minimum - make sure your passwords are not in any dictionaries and contain both numbers and symbols, such as !@#$.

The fastest way to change your Windows password is from inside the server.  At a command prompt, type:  net user Administrator newpassword

where "newpassword" is the new password.


This will likely be the last update regarding this event.  We will of course reach out again if necessary.  Please do not hesitate to contact CNS Support with any questions or concerns.


Impact:

A remote, unauthorized attacker could drain a VM of resources necessary for applications to run.  They might also gain entry and take complete control.

How to determine if you have been impacted:

Check windows event->security logs for numerous failed login attempts.  


Solution:

We recommend ALL SUBSCRIBERS install pending Microsoft updates AND run the CNS RDP Port Randomizer in your VM as soon as possible. A reboot will be required. After running the RDP Port Randomizer, please download a new RDP shortcut from the CNS Control panel. Simply click "My Products & Services"->"View Details" next to the VM subscription. Scroll down to the RDP Shortcut Creator to create and download your RDP shortcut.

STEPS:

1) Install all pending Windows updates.  Reboot as required and check for updates again until there are no more to install.
2) From inside the VM (DO NOT RUN ON YOUR COMPUTER), download and run the RRDP Port Randomizer from the CNS Helpdesk.  Your VM will reboot after pressing "Go".
3) Login to the CNS Control Panel and download a new RDP shortcut.  This will replace your current RDP shortcut.


For added protection, consider adding two-factor authentication.. CNS provides free two-factor authentication to all subscribers. Please contact CNS Support if you require assistance.


How to Install Windows Updates:

Windows 2008 subscribers will see a blue server with a yellow arrow circling it. Double click to begin the install process and follow the prompts.

Windows 2012 subscribers should click start->control panel->System and security->Check for updates


A reboot will be required to complete the update.  Be sure to confirm all updates are installed by checking again after reboot.

Please do not hesitate to open a support ticket if you require assistance.


What we are doing to protect CNS subscribers:

We notified you early so that you could secure your VM as soon as possible.
We have identified and blackholed a significant and stealthy botnet responsible for this attack.
We have developed new capabilities to better monitor this activity and will continue to perfect them as we further analyze this attack and current traffic patterns.
We have developed and deployed numerous countermeasures with synchronous capabilities to neutralize attacking computers.
We are working with law enforcement to apprehend the attacker(s).


Getting Help:

Thank you for choosing Commercial Network Services. Please let us know if you have any questions or concerns. We are always here to help you. We maintain a ticketing system in order to effectively address and track your support issues. Please login to your Client Area and click "Help Desk" near the top, then click "Submit a Ticket" to send a new support request to our technicians.

NOTE: This message has been digitally signed. For your security, ALL electronic mail sent by CNS is digitally signed. If your eMail client is S/MIME compliant then you will see a digital certificate in the email message. This certificate proves the email was sent to you by CNS. If your email client is not S/MIME compliant, then you will find an attachment smime, which can be safely ignored.

Read more »



Apr
14
SECURITY ADVISORY - RDP Attack Directed at our Network
Posted by Barry Bahrami on 14 April 2018 10:26 AM
 
[CNS Logon]
 
RE: SECURITY ADVISORY - RDP Attack Directed at our Network

Please be advised CNS is currently fending off a cyber-attack attempting intrusion into our hosted servers. This is to alert you to the issue and ask you to help us protect your VM by installing security  updates and re-randomizing the RDP port in your VM as soon as possible.  This advisory also contains information on how to determine if your VM is or has been under attack.

Systems Affected
  • All Windows servers & desktops
Details

CNS is currently fending off a sophisticated cyber-attack attempting intrusion into hosted Windows servers & desktops.  We believe the attackers are executing a vulnerability in unpatched subscriber servers to obtain the randomized RDP port number and user names.  After obtaining the randomized RDP port number and user names, the attackers are then conducting brute force attacks against subscriber VM's.

While strong passwords are probably sufficient to avoid intrusion, the attack itself can quickly drain resources from the targeted VM as it works to authenticate and deny hundreds of login attempts by attacking robots.  This starves subscriber applications of resources and will result in poor performance.  These attacks are difficult to detect because they are conducted in an encrypted session where automated processes can not see them and also they can attempt hundreds of logins in a single connection.

We believe a DoS against our NY datacenter earlier this week was an attempt to divert attention.  This was unsuccessful because of already deployed intrusion prevention systems and the DoS was also quickly mitigated.
 
We are aware of only one subscriber VM that has been compromised.  It was protected with a very weak password and without two-factor authentication installed.  A review of the system found it was being used to commit online fraud.  Please - do not use weak passwords and consider installing free two-factor authentication.

Systems that have been patched regularly are unlikely to be affected.  We will keep you up to date with any important information, which will be sent as it develops.

Please do not hesitate to contact CNS Support with any questions or concerns.


Impact:

A remote, unauthorized attacker could drain a VM of resources necessary for applications to run.  They might also gain entry and take complete control.

How to determine if you have been impacted:

Check windows event->security logs for numerous failed login attempts.  


Solution:

We recommend ALL SUBSCRIBERS install pending Microsoft updates AND run the CNS RDP Port Randomizer in your VM as soon as possible. A reboot will be required. After running the RDP Port Randomizer, please download a new RDP shortcut from the CNS Control panel. Simply click "My Products & Services"->"View Details" next to the VM subscription. Scroll down to the RDP Shortcut Creator to create and download your RDP shortcut.

STEPS:

1) Install all pending Windows updates.  Reboot as required and check for updates again until there are no more to install.
2) From inside the VM (DO NOT RUN ON YOUR COMPUTER), download and run the RRDP Port Randomizer from the CNS Helpdesk.  Your VM will reboot after pressing "Go".
3) Login to the CNS Control Panel and download a new RDP shortcut.  This will replace your current RDP shortcut.


For added protection, consider adding two-factor authentication.. CNS provides free two-factor authentication to all subscribers. Please contact CNS Support if you require assistance.


How to Install Windows Updates:

Windows 2008 subscribers will see a blue server with a yellow arrow circling it. Double click to begin the install process and follow the prompts.

Windows 2012 subscribers should click start->control panel->System and security->Check for updates


A reboot will be required to complete the update.  Be sure to confirm all updates are installed by checking again after reboot.

Please do not hesitate to open a support ticket if you require assistance.


What we are doing to protect CNS subscribers:

We are sending you this alert so that you can secure your VM as soon as possible.
We have developed new capabilities to better monitor this activity and will continue to perfect them as we analyze this attack.
We have developed and deployed numerous countermeasures with synchronous capabilities to neutralize attacking computers.
We are working with law enforcement to apprehend the attacker(s).


Getting Help:

Thank you for choosing Commercial Network Services. Please let us know if you have any questions or concerns. We are always here to help you. We maintain a ticketing system in order to effectively address and track your support issues. Please login to your Client Area and click "Help Desk" near the top, then click "Submit a Ticket" to send a new support request to our technicians.

NOTE: This message has been digitally signed. For your security, ALL electronic mail sent by CNS is digitally signed. If your eMail client is S/MIME compliant then you will see a digital certificate in the email message. This certificate proves the email was sent to you by CNS. If your email client is not S/MIME compliant, then you will find an attachment smime, which can be safely ignored.

 


Read more »




© 2016 Commercial Network Services. All rights reserved.
No content may be reproduced or redistributed without express written permission on CNS letterhead.
Only Commercial Network Services subscribers are authorized to use our content during their subscription period.
Permission to use our content may be revoked at any time, and at the sole discretion of Commercial Network Services.
Some content on this site is © by their respective owners.