RE: SECURITY ADVISORY - RDP Attack Directed at our Network
Please be advised CNS is currently fending off a cyber-attack attempting intrusion into our hosted servers. This is to alert you to the issue and ask you to help us protect your VM by installing security updates and re-randomizing the RDP port in your VM as soon as possible. This advisory also contains information on how to determine if your VM is or has been under attack.
- All Windows servers & desktops
CNS is currently fending off a sophisticated cyber-attack attempting intrusion into hosted Windows servers & desktops. We believe the attackers are executing a vulnerability in unpatched subscriber servers to obtain the randomized RDP port number and user names. After obtaining the randomized RDP port number and user names, the attackers are then conducting brute force attacks against subscriber VM's.
While strong passwords are probably sufficient to avoid intrusion, the attack itself can quickly drain resources from the targeted VM as it works to authenticate and deny hundreds of login attempts by attacking robots. This starves subscriber applications of resources and will result in poor performance. These attacks are difficult to detect because they are conducted in an encrypted session where automated processes can not see them and also they can attempt hundreds of logins in a single connection.
We believe a DoS against our NY datacenter earlier this week was an attempt to divert attention. This was unsuccessful because of already deployed intrusion prevention systems and the DoS was also quickly mitigated.
We are aware of only one subscriber VM that has been compromised. It was protected with a very weak password and without two-factor authentication installed. A review of the system found it was being used to commit online fraud. Please - do not use weak passwords and consider installing free two-factor authentication.
Systems that have been patched regularly are unlikely to be affected. We will keep you up to date with any important information, which will be sent as it develops.
Please do not hesitate to contact CNS Support with any questions or concerns.
A remote, unauthorized attacker could drain a VM of resources necessary for applications to run. They might also gain entry and take complete control.
How to determine if you have been impacted:
Check windows event->security logs for numerous failed login attempts.
We recommend ALL SUBSCRIBERS install pending Microsoft updates AND run the CNS RDP Port Randomizer in your VM as soon as possible. A reboot will be required. After running the RDP Port Randomizer, please download a new RDP shortcut from the CNS Control panel. Simply click "My Products & Services"->"View Details" next to the VM subscription. Scroll down to the RDP Shortcut Creator to create and download your RDP shortcut.
1) Install all pending Windows updates. Reboot as required and check for updates again until there are no more to install.
2) From inside the VM (DO NOT RUN ON YOUR COMPUTER), download and run the RRDP Port Randomizer from the CNS Helpdesk. Your VM will reboot after pressing "Go".
3) Login to the CNS Control Panel and download a new RDP shortcut. This will replace your current RDP shortcut.
For added protection, consider adding two-factor authentication.. CNS provides free two-factor authentication to all subscribers. Please contact CNS Support if you require assistance.
How to Install Windows Updates:
Windows 2008 subscribers will see a blue server with a yellow arrow circling it. Double click to begin the install process and follow the prompts.
Windows 2012 subscribers should click start->control panel->System and security->Check for updates
A reboot will be required to complete the update. Be sure to confirm all updates are installed by checking again after reboot.
Please do not hesitate to open a support ticket if you require assistance.
What we are doing to protect CNS subscribers:
We are sending you this alert so that you can secure your VM as soon as possible.
We have developed new capabilities to better monitor this activity and will continue to perfect them as we analyze this attack.
We have developed and deployed numerous countermeasures with synchronous capabilities to neutralize attacking computers.
We are working with law enforcement to apprehend the attacker(s).
Thank you for choosing Commercial Network Services. Please let us know if you have any questions or concerns. We are always here to help you. We maintain a ticketing system in order to effectively address and track your support issues. Please login to your Client Area and click "Help Desk" near the top, then click "Submit a Ticket" to send a new support request to our technicians.
NOTE: This message has been digitally signed. For your security, ALL electronic mail sent by CNS is digitally signed. If your eMail client is S/MIME compliant then you will see a digital certificate in the email message. This certificate proves the email was sent to you by CNS. If your email client is not S/MIME compliant, then you will find an attachment smime, which can be safely ignored.