Cyberon https://cyberonsecurity.com/ We are specialists in Cyber security services Wed, 12 Jun 2019 08:57:08 +0000 en-US hourly 1 How to setup RD Gateway for Windows Server 2016 https://cyberonsecurity.com/2019/06/11/how-to-setup-rd-gateway-for-windows-server-2016/ Tue, 11 Jun 2019 09:47:23 +0000 https://cyberonsecurity.com/?p=362 Quick setup guide for Windows Server 2016: Join the Windows 2016 server to the Active Directory domain. Add the Remote Desktop Services role. Create a Connection Authorization Policy. This policy specifies which groups are allowed to access this Remote Desktop Gateway. Create a Resource Authorization Policy. This policy specifies which servers are allowed access by which groups. Purchase an SSL Certificate from […]

The post How to setup RD Gateway for Windows Server 2016 appeared first on Cyberon.

]]>
Quick setup guide for Windows Server 2016:
  1. Join the Windows 2016 server to the Active Directory domain.
  2. Add the Remote Desktop Services role.
  3. Create a Connection Authorization Policy. This policy specifies which groups are allowed to access this Remote Desktop Gateway.
  4. Create a Resource Authorization Policy. This policy specifies which servers are allowed access by which groups.
  5. Purchase an SSL Certificate from a public Certificate Authority like Comodo, DigiCert, Godaddy etc.
  6. Apply the SSL Certificate to the Remote Desktop Gateway.
  7. Accept the default Remote Desktop Gateway TCP Port of 443 or change it to a port of your choosing.
  8. Test the Remote Desktop Connection to a server behind the Remote Desktop Gateway DIRECTLY from the Remote Desktop Gateway server. This is to ensure that there is connectivity from the Remote Desktop Gateway to the servers that clients will need to connect to.
  9. Modify or create your firewall Rule to allow the Remote Desktop Gateway port to the Remote Desktop Gateway server.
  10. Test the Remote Desktop Connection to a server behind the Remote Desktop Gateway from the internet. You need to configure the Remote Desktop Client with the Remote Desktop Gateway address and port number. 

Configuring the RD Client to use the Remote Desktop Gateway

  1. Verify the external server name or IP address and Port for the Remote Desktop Gateway
  2. Install an SSL Certificate on the Remote Desktop Gateway
  3. IF USING A SELF-SIGNED SSL CERTIFICATE: Trusting the Self-Signed SSL Certificate on the client. This step is optional on Mac clients, but MUST be done on Windows PCs to connect.
  4. Configuring the Remote Desktop client on the Mac AND/OR configuring the Remote Desktop client on Windows.

Also see our guide on how to configure RD Gateway for Windows 2008

References

  1. https://turbofuture.com/computers/How-To-Setup-a-Remote-Desktop-Gateway-Windows-Server-2016
  2. https://docs.microsoft.com/en-us/windows-server/remote/remote-desktop-services/welcome-to-rds
  3. https://techcommunity.microsoft.com/t5/Enterprise-Mobility-Security/RD-Gateway-deployment-in-a-perimeter-network-Firewall-rules/ba-p/246873

The post How to setup RD Gateway for Windows Server 2016 appeared first on Cyberon.

]]>
How to setup RD Gateway for Windows Server 2008 https://cyberonsecurity.com/2019/06/11/how-to-setup-rd-gateway-for-windows-server-2008/ Tue, 11 Jun 2019 09:43:28 +0000 https://cyberonsecurity.com/?p=356 The purpose of an RD Gateway A Remote Desktop Gateway acts as the gateway into which external RDP connections connects through to access the Remote Desktop Server. Using a RD Gateway secures the actual Remote Desktop server and limits the potential attacks and exploits aimed at it. With Remote Desktop Gateway installed, you can give […]

The post How to setup RD Gateway for Windows Server 2008 appeared first on Cyberon.

]]>
The purpose of an RD Gateway

A Remote Desktop Gateway acts as the gateway into which external RDP connections connects through to access the Remote Desktop Server. Using a RD Gateway secures the actual Remote Desktop server and limits the potential attacks and exploits aimed at it. With Remote Desktop Gateway installed, you can give your clients the address or DNS name of the gateway server. You can create groupings of servers and allow only certain Windows users or groups access to particular servers.

How to install the RD Gateway service on a Windows 2008 R2 Server

  1. Install the Remote Desktop Gateway role service via Server Manager. You will need to install the Remote Desktop Services role first.
  2. Once Remote Desktop Gateway Role service is installed, run Remote Desktop Gateway Manager
  3. Go into the Policies section and create the Connection Authorization Policy. This is where you setup who’s allowed to log into the RDGateway.
  4. Go into the Policies section and create the Resource Authorization Policy. This is where you setup what resources can be accessed via RD Gateway and by whom. NOTE: The name and IP addresses that you enter here will be used to match with what the client will type in as the computer name in the RD Client. For example, if you put the server name in the Resource Authorization Policy as MYSERVER, and the RD client is trying to connect to MYSERVER.domain.local, the RD Client will be refused connection DESPITE the two names resolving to the same IP address. You can’t even specify a valid IP address unless it is listed as an allowed resource.
  5. Right click on the RD Gateway server name and select Properties. A window will come up where you can fine tune the properties. You can use the default settings. However, you need to go into the SSL Certificate tab and install a certificate.
  6. Enable/Forward TCP Port 443 (SSL port) on your firewall to the RDGateway server.
RDP Gateway Manager SSL Cert settings

Configuring the local RDP CLients

Remote Desktop Advanced Setting
RDP Client Step 1
RDP Client Step 2
Remote Desktop General settings

Also see our guide on how to configure RD Gateway for Windows 2016

References

  1. https://turbofuture.com/computers/What-is-Remote-Desktop-Gateway-and-how-to-install
  2. https://www.vkernel.ro/blog/configuring-windows-server-2008-r2-rd-gateway-for-external-access

The post How to setup RD Gateway for Windows Server 2008 appeared first on Cyberon.

]]>
Ransomware attacks via RDP on the rise https://cyberonsecurity.com/2019/04/23/ransomware-attacks-via-rdp-on-the-rise/ Tue, 23 Apr 2019 07:33:25 +0000 https://cyberonsecurity.com/?p=282 Remote Desktop Protocol (RDP) RDP stands for Remote Desktop Protocol, which is a proprietary network protocol developed by Microsoft in the 90s, which can be used to login to a system remotely and control the resources and data of the system as a remote administration tool. And is being used by the cyber attackers as a primary attack vector […]

The post Ransomware attacks via RDP on the rise appeared first on Cyberon.

]]>
Remote Desktop Protocol (RDP)

RDP stands for Remote Desktop Protocol, which is a proprietary network protocol developed by Microsoft in the 90s, which can be used to login to a system remotely and control the resources and data of the system as a remote administration tool. And is being used by the cyber attackers as a primary attack vector to exploit windows systems and spread ransomware.  

How you get infected

In order to authenticate users to establish the remote desktop connection a username and a password should be provided. So, vulnerabilities like

  • weak passwords,
  • outdated versions of RDP
  • Allowing unlimited login attempts to users
  • Allowing unrestricted access to the default RDP port (TCP 3389) will attract cyber attackers and sooner or later.

An attacker will also use social engineering techniques such as phishing and you will be tricked to download and open office documents in macro enabled mode or user will be tricked to install a trojan.  

Threats

  • CryptON also known as Nemesis or X3M ransomware targets Windows servers and uses RDP brute-forcing to gain access. An attacker will manually launch the ransomware inside the system after gaining the access. It will encrypt all types of files excluding C:\Windows, C:\Program Files, and the user profile folder to avoid impacting the boot operation. And they keep producing new versions like Cry9 in 4/4/2017, Cry128 in 5/1/2017.
  • Crisis ransomware uses the same brute-forcing and dictionary-based techniques through open RDP ports and also malicious spam emails and trojans. When a system is infected, it will encrypt all the files on fixed, removable and network storages except system files and files related to the ransomware and modify the registry logs.
  • Samsam ransomware also uses RDP to exploit systems. In July 2018, Samsam threat actors used a brute-force attack on RDP login credentials to infiltrate a healthcare company. The ransomware was able to encrypt thousands of machines before detection. [3]
  • Stolen RDP credentials will be sold in the deep dark web.

And these cyber criminals will demand you a ransom in bitcoins as payments for the decryption and there is no guarantee that paying the ransom will give your data back. 

How to protect your RDP

  • Public IP’s of cloud-based instances should not have open RDP ports especially port 3389 and if you must have it place it behind a firewall and access it using a Virtual Private Network (VPN) through the firewall.
  • make sure all your RDP hosts are enforcing Network Layer Authentication (NLA) so attackers can’t get a full GUI windows connection until they provide credentials.
  • Disable the service if you don’t use it [2] or never skip the security patches and software updates regularly so you can detect malicious activities.
  • To defend against brute-force and dictionary attacks enable strong passwords, two factor authentication and account lockout policies. 
  • Limit access to specific IP’s [4] and change the RDP port [5], so port scanners looking for open RDP ports won’t see you.
  • Keep logs about RDP logins and review them regularly.
  • Ensure third parties that require RDP access are required to follow internal policies on remote access.
  • Do not expose critical network devices of your organization to public and reduce it as much as possible and they must not have RDP enabled.
  • Always keep backups of your critical data.
  • You can use Remote Desktop Gateway (RDG), which is encrypted using SSL too [6]. And implementing a 2-factor authentication solution is highly recommended, regardless of whether you use RDG or a VPN to mitigate brute-forcing.

References

  1. https://www.ic3.gov/media/2018/180927.aspx
  2. https://blog.malwarebytes.com/security-world/business-security-world/2018/08/protect-rdp-access-ransomware-attacks/
  3. https://www.cyber.nj.gov/threat-profiles/ransomware-variants/
  4. https://support.managed.com/kb/a2499/restrict-rdp-access-by-ip-address.aspx
  5. https://tunecomp.net/change-remote-desktop-port-windows-10/
  6. https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd983941(v=ws.10)

The post Ransomware attacks via RDP on the rise appeared first on Cyberon.

]]>
DAY 4 @ DEFCON 26 https://cyberonsecurity.com/2018/08/15/day-4-defcon-26/ Wed, 15 Aug 2018 19:49:09 +0000 https://cyberonsecurity.com/?p=1 Last day! Today was the last day of Defcon and we focused mainly on visiting “villages”. These are smaller and more intimate talks where you are able to get a bit closer to the presenters.

The post DAY 4 @ DEFCON 26 appeared first on Cyberon.

]]>
Last day of Defcon!

Today was the last day of Defcon and we focused mainly on visiting “villages”. These are smaller and more intimate talks where you are able to get a bit closer to the presenters.

Here are our top pics of the day:

One of the first Village talks was about stalking and specifically on Twitter. The presenter showed how to stalk “indirectly” by following the followers of the stalker victim. By doing this you get all the updates, check ins and tags automatically without interacting directly. Social media is public by default and following people are usually unrestrictive making the stalking really easy.

Shortly after we attended a talk regarding social media phishing and how automated tools can be used to collect all pictures and information for specific people. “Social mapper” is a open source tool and searches for target accounts in LinkedIn, Facebook, Twitter, Google+, Instagram, VKontakte, Weibo and Douban.

The tool is intended for ethical hacking in penetration testing and red teams/blue teams.

Android has been known for returning malicious apps, and it seems that is for a good reason. The “Man in the disk” talk showed how easy it is to create a malicoius Android app by exploiting the write to external storage function. The malicious apps can detect whenever the phone writes to external storage. Then the app can replace the data with whatever you want as there are no write protection to the storage. This external storage is used to share files between applications or between a PC. Needless to say, inputting malicious data here could be extremely damaging.

The day ended with Defcon closing ceremony where among others the CTF winners was announced. The conference keeps growing with another all time high attendance of about 25 000 (not confirmed).

We have thoroughly enjoyed this week and are already looking forward to next years event. They will move the conference to Bally’s to make the sessions a bit closer to each other. This years talks where split between the Flamingo and Caesars Palace making it difficult to reach each session as it was a 15 minute walk between the hotels.

See you next year at bally’s!

The post DAY 4 @ DEFCON 26 appeared first on Cyberon.

]]>
DAY 1 @ DEFCON 26 https://cyberonsecurity.com/2018/08/10/day-1-defcon-26/ Thu, 09 Aug 2018 23:03:33 +0000 https://cyberonsecurity.com/?p=45 Finally the day arrived and we got to visit DEFCON. It’s been a day we all have been looking forward to, its finally time for the biggest nerd gathering of the year. The day started warm. We’ve been having around 43 to 45 degrees Celsius down here, so moving outside has been a bit of […]

The post DAY 1 @ DEFCON 26 appeared first on Cyberon.

]]>
Finally the day arrived and we got to visit DEFCON. It’s been a day we all have been looking forward to, its finally time for the biggest nerd gathering of the year.

The day started warm. We’ve been having around 43 to 45 degrees Celsius down here, so moving outside has been a bit of a challenge. Queues opened at 6 am this year at Defcon, but wisely enough we waited a couple of hours and got our hands on the precious badges at around 9 just in time for the talks that started at 10.

Two very proud security guys in the picture with their long awaited badges. I am sorry @espen, we’ll get your picture tomorrow ^^

Today had only 1 track, the 101 track. This because BlackHat had its final day and is overlapping Defcon’s opening day.

In our first talk we would like to mention we learned a lot about ThinSIM attacks. This is attacks on the ThinSIM feature that resides between the SIM card and the phone processor. It is possible to use exploits and Man in the middle attacks to fool a victim. Fun stuff, although really hard to protect against, as security protection is very limited at that stage in the phone connectivity.

We also attended a talk about How to evade Surveillance teams. This must have been today’s highlight with anti surveillance evasion techniques, with real life demos. Anyone seen the TV Show the Americans? Little did i know that this show actually was based on a true story: https//www.theguardian.com/world/2016/may/07/discovered-our-parents-were-russian-spies-tim-alex-foley. Anyway and awesome presentation there as well.

The day ended with the Defcon 101 n00b panel. Basically an introduction to DEFCON for all the first time n00bs, like us.

Tomorrow will be another fun day with many great presentations, demos and talks lined up.

We’ll post another blog tomorrow with some more updates.

The post DAY 1 @ DEFCON 26 appeared first on Cyberon.

]]>