Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Internet Storm Center - SANS Internet Storm Center Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

Random Port Scan for Open RDP Backdoor

Published: 2018-12-16
Last Updated: 2018-12-16 23:59:40 UTC
by Guy Bruneau (Version: 1)
0 comment(s)

Over the past several months I have been observing random Remote Desktop Protocol (RDP) activity targeting my honeypot. Back in September, US-Cert [1] issued an alert regarding RDP being actively used and exploited by malicious actors released by the FBI [2].

The default Windows service port for RDP is TCP 3389 and the activity against this service can easily be identified in the packets with "Cookie: mstshash=".

Username Testing

It the past 6 weeks I have observed this activity on its default port including multiples other ports from various sources, testing access using mainly two username (i.e. hello, Administr).

Testing for RDP Service

Obviously this service should not be exposed directly to Internet and if used should be secured appropriately with a strong password and should be monitored for unusual activity. More information is available here to further protect against RDP-based attacks.

[1] https://www.us-cert.gov/ncas/current-activity/2018/09/28/IC3-Issues-Alert-RDP-Exploitation
[2] https://www.ic3.gov/media/2018/180927.aspx

-----------
Guy Bruneau IPSS Inc.
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

De-DOSfuscation Example
Dec 15th 2018
1 day ago by DidierStevens (2 comments)

Bombstortion?? Boomstortion??
Dec 14th 2018
2 days ago by Rick (2 comments)

Phishing Attack Through Non-Delivery Notification
Dec 13th 2018
4 days ago by Xme (0 comments)

Yet Another DOSfuscation Sample
Dec 12th 2018
4 days ago by DidierStevens (0 comments)

Microsoft December 2018 Patch Tuesday
Dec 11th 2018
5 days ago by Richard (0 comments)

View All Diaries →

Latest Discussions

PDF vs. DOCX in phishing mails
created Dec 14th 2018
2 days ago by sciurium (0 replies)

Securing AV/IoT best practice question
created Dec 10th 2018
6 days ago by Anonymous (0 replies)

virtual server design
created Nov 28th 2018
2 weeks ago by Anonymous (0 replies)

Intern needs help
created Nov 23rd 2018
3 weeks ago by Anonymous (0 replies)

CVE Links Are Broken
created Nov 17th 2018
4 weeks ago by George (1 reply)

View All Forums →

Latest News

View All News →

Top Diaries

Wide-scale Petya variant ransomware attack noted
Jun 27th 2017
1 year ago by Brad (6 comments)

Using a Raspberry Pi honeypot to contribute data to DShield/ISC
Aug 3rd 2017
1 year ago by Johannes (16 comments)

Detection Lab: Visibility & Introspection for Defenders
Dec 15th 2017
1 year ago by Russ McRee (2 comments)

Second Google Chrome Extension Banker Malware in Two Weeks
Aug 29th 2017
1 year ago by Renato (0 comments)

Maldoc with auto-updated link
Aug 17th 2017
1 year ago by Xme (2 comments)