RE: SECURITY ADVISORY - RDP Attack Directed at our Network [UPDATE]
We have had significant success in fending off this cyberattack. Please help us protect your VM by installing security updates and re-randomizing the RDP port in your VM when possible.
Systems Affected
- All Windows servers & desktops
Details
CNS began receiving abusive traffic earlier this month, which included attacks on subscriber servers through the randomized RDP port. Besides a severe drain of resources from the targeted servers, the obvious concern was how did anyone obtain randomized RDP port information? We immediately began to search for answers and notified you of the attack so you could make sure your server was protected.
We have identified a botnet consisting of nearly 1000 IP addresses working together to continuously scan the network without any one IP address probing too often. This allowed it to evade automated filters and find ports to target. After obtaining the (encrypted) RDP port, they then proceeded to brute force attack the server and/or attempt entry through unpatched vulnerabilities. We have blackholed this botnet and have developed new methods to identify and stop these types of threats before they reach your CNS service. We are continuing to analyze traffic patterns in order to identify new threats and we are also attempting to work with the respective ISP's to dismantle it completely.
This event is a reminder to always keep your server up to date with the latest security related patches. A strong password is also ideal. Please consider installing free two-factor authentication. To date, we have never seen a 2FA protected service hacked. It is an excellent way to protect your data.
We have seen only one server hacked during this event. It had a VERY weak password and was not protected by two-factor authentication. Please - at a minimum - make sure your passwords are not in any dictionaries and contain both numbers and symbols, such as !@#$.
The fastest way to change your Windows password is from inside the server. At a command prompt, type: net user Administrator newpassword
where "newpassword" is the new password.
This will likely be the last update regarding this event. We will of course reach out again if necessary. Please do not hesitate to contact CNS Support with any questions or concerns.
Impact:
A remote, unauthorized attacker could drain a VM of resources necessary for applications to run. They might also gain entry and take complete control. How to determine if you have been impacted:
Check windows event->security logs for numerous failed login attempts.
Solution: We recommend ALL SUBSCRIBERS install pending Microsoft updates AND run the CNS RDP Port Randomizer in your VM as soon as possible. A reboot will be required. After running the RDP Port Randomizer, please download a new RDP shortcut from the CNS Control panel. Simply click "My Products & Services"->"View Details" next to the VM subscription. Scroll down to the RDP Shortcut Creator to create and download your RDP shortcut. STEPS:
1) Install all pending Windows updates. Reboot as required and check for updates again until there are no more to install. 2) From inside the VM (DO NOT RUN ON YOUR COMPUTER), download and run the RRDP Port Randomizer from the CNS Helpdesk. Your VM will reboot after pressing "Go". 3) Login to the CNS Control Panel and download a new RDP shortcut. This will replace your current RDP shortcut.
For added protection, consider adding two-factor authentication.. CNS provides free two-factor authentication to all subscribers. Please contact CNS Support if you require assistance.
How to Install Windows Updates:
Windows 2008 subscribers will see a blue server with a yellow arrow circling it. Double click to begin the install process and follow the prompts.
Windows 2012 subscribers should click start->control panel->System and security->Check for updates
A reboot will be required to complete the update. Be sure to confirm all updates are installed by checking again after reboot.
Please do not hesitate to open a support ticket if you require assistance.
What we are doing to protect CNS subscribers:
We notified you early so that you could secure your VM as soon as possible. We have identified and blackholed a significant and stealthy botnet responsible for this attack. We have developed new capabilities to better monitor this activity and will continue to perfect them as we further analyze this attack and current traffic patterns. We have developed and deployed numerous countermeasures with synchronous capabilities to neutralize attacking computers. We are working with law enforcement to apprehend the attacker(s).
Getting Help:
Thank you for choosing Commercial Network Services. Please let us know if you have any questions or concerns. We are always here to help you. We maintain a ticketing system in order to effectively address and track your support issues. Please login to your Client Area and click "Help Desk" near the top, then click "Submit a Ticket" to send a new support request to our technicians.
NOTE: This message has been digitally signed. For your security, ALL electronic mail sent by CNS is digitally signed. If your eMail client is S/MIME compliant then you will see a digital certificate in the email message. This certificate proves the email was sent to you by CNS. If your email client is not S/MIME compliant, then you will find an attachment smime, which can be safely ignored. |