{"id":3688,"date":"2019-07-09T21:02:05","date_gmt":"2019-07-10T02:02:05","guid":{"rendered":"http:\/\/toddsingleton.net\/chronicle\/?p=3688"},"modified":"2020-02-08T08:39:36","modified_gmt":"2020-02-08T13:39:36","slug":"vulnerability-port-8443-is-a-ransomware-invitation-close-it","status":"publish","type":"post","link":"https:\/\/toddsingleton.net\/chronicle\/2019\/07\/09\/vulnerability-port-8443-is-a-ransomware-invitation-close-it\/","title":{"rendered":"Details of a ransomware attack and a way to thwart the ransom. Don’t plan to pay. Plan to recover."},"content":{"rendered":"

Here are the basic steps included in\u00a0a ransomware attack and how vulnerable people and ports are used\u00a0to accommodate the attacker.\u00a0\u00a0Conditions must be met.<\/h3>\n
    \n
  1. The attacker relies on stolen credentials.\u00a0 The credentials are harvested\u00a0by viruses delivering malware.\u00a0 Specifically in recent attacks Emotet as the delivery agent for the Trickbot trojan.\u00a0 All too easy with users susceptible to social engineering.<\/li>\n
  2. Trickbot\u00a0moves laterally\u00a0across systems, relying on SMB to navigate the network as it steals passwords, mail files, registry keys and more.\u00a0 It communicates the stolen material back to the bad actor, the Black Hat.<\/li>\n
  3. Next Trickbot might launch the Empire Powershell backdoor and download the Ryuk virus upon the black hat’s command.\u00a0 Armed with harvested credentials, the black hat is now ready to execute Ryuk and encrypt files at will.<\/li>\n
  4. The black hat scans for any vulnerable port of entry on an external interface.<\/li>\n<\/ol>\n

    \u250c\u2500[blackhat@parrot]\u2500[~]<\/span><\/p>\n

    \u2514\u2500\u2500\u257c $nmap -Pn -p 8443\u00a0xxx.123.xxx.456<\/span><\/div>\n
    Starting Nmap 7.70 ( https:\/\/nmap.org ) at 2019-07-09 16:47 EDT<\/span><\/div>\n
    Nmap scan report for system.contoso.com (xxx.123.xxx.456)<\/span><\/div>\n
    Host is up (0.029s latency).<\/span><\/div>\n
    <\/div>\n
    PORT \u00a0 \u00a0 STATE SERVICE<\/span><\/div>\n
    8443\/tcp open \u00a0https-alt<\/span><\/div>\n

    Once a port of entry is found, in this case a very common and vulnerable port used as a remote access interface, the black hat can use the stolen credentials to log in to the network and rely on protocols such as SMB and RDP to access and exploit systems on the network, launching Ryuk to encrypt files on select systems, typically all of them.\u00a0 Azure?\u00a0 Too bad, encrypted.\u00a0 Active directory authenticated AWS?\u00a0 Ouch.ryk, every file owned.\u00a0 Once the damage is found you’ll need to recover.<\/p>\n

    So how can you protect systems and most importantly backups so that rapid recovery<\/span><\/a>, the best\u00a0response\u00a0to a live attack, remains possible?<\/h3>\n