Is Spectrum's modem really bridged?
-
@Fredtx said in Is Spectrum's modem really bridged?:
https://www.bleepingcomputer.com/news/security/new-brrr-dharma-ransomware-variant-released/
From your own source, it makes it clear how Dharma is distributed...
"The Dharma Ransomware family, including this Brrr variant, is manually installed by attackers who hack into Remote Desktop Services connected directly to the Internet. These attackers will scan the Internet for computers running RDP, usually on TCP port 3389, and then attempt to brute force the password for the computer.
There are also underground sites that sell known credentials for publicly accessible computers running remote Remote Desktop Services that attackers can buy."
You are only susceptible to Dharma if you are already hacked elsewhere (creds available for sale) or use an easily guessed password that is susceptible to brute force or don't provide any security to lock down brute force attempts. None of that is "hacked RDP", it's all "guessing passwords." It's the password, not RDP, that is hacked. Any password on a VPN would be susceptible exactly the same.
-
@scottalanmiller said in Is Spectrum's modem really bridged?:
@Fredtx said in Is Spectrum's modem really bridged?:
Define hacked? How would they hack RDP but not a VPN, since RDP has a VPN already. Not that RDP is infallible, but there is no known public vulnerability to its security, and any that it would have would affect many VPNs that share technology with it.
I would say hacking is when an unauthorized user gains access to computer,network. In this case, there was a successful brute force attack. While I understand there is many other security mistakes that allowed this to happen, but the fact is they gained access from a port forwarding rule to the server that someone set up for the customer so they didnt have to use a vpn. Instead the customer used RDP to external IP with the specified port. Per management, no one is allowed to open ports for rdp on any customers router. So Iām just trying to find a work around.
-
@Fredtx said in Is Spectrum's modem really bridged?:
@scottalanmiller said in Is Spectrum's modem really bridged?:
@Fredtx said in Is Spectrum's modem really bridged?:
Define hacked? How would they hack RDP but not a VPN, since RDP has a VPN already. Not that RDP is infallible, but there is no known public vulnerability to its security, and any that it would have would affect many VPNs that share technology with it.
I would say hacking is when an unauthorized user gains access to computer,network.
Hacking in a loose sense, yes. Hacking of RDP, no. It's hacking of the password. RDP wasn't compromised. That's the key part.
-
@Fredtx said in Is Spectrum's modem really bridged?:
While I understand there is many other security mistakes that allowed this to happen, but the fact is they gained access from a port forwarding rule to the server that someone set up for the customer so they didnt have to use a vpn.
This is why it's important how to word it. They DID use a VPN, just not one labeled a VPN. RDP has VPN tech built into it.
And if they had used something labeled a VPN, it would have had a port open and forwarded just the same, and susceptible to the same brute force attack.
So RDP is a red herring here, it has nothing to do with the vulnerability or the hack, it's just coincidental that it was used. It could have been a normal VPN, SSH, a web page or anything that had a weak password and no limit on attempts against it. What was breached was just that someone got the password right, nothing more.
-
@Fredtx said in Is Spectrum's modem really bridged?:
Per management, no one is allowed to open ports for rdp on any customers router.
This means that management is clueless and is working from "security theater." They don't understand what happened and instead of securing the system are trying to make a show of "changing things" without really securing anything.
The open port, and RDP are in no way an issue. What they are going to do is change which port is open (changing nothing to an attacker) and change which protocol is used (again, changing nothing to the attack) and exposing the system identically again. It's not even plausible deniability. It's just smoke and mirrors thinking whoever they are answering to is clueless and isn't going to really follow up (probably true.)
-
@Fredtx said in Is Spectrum's modem really bridged?:
So Iām just trying to find a work around.
It's all just words. Do anything and claim to have made the change. Change the port and claim that's done it. It's all just politics at this point, not technical.
They aren't asking you to lock it down or fix the problem. They are looking for a checkbox to show to an auditor of some sort.
The real "problem" here is that all of this is being done, presumably, to hide the fact that there is an actual security problem and they don't want to address it. If someone actually cares about the security, then that discussion needs to take place. If the belief is that this is only politics and has nothing to do with results and security, then just do anything that satisfies the words that they have used.
The real issue is a lack of password policy and a lack of password protection. Moving to a thing with a VPN label will in no way affect that. That's misdirection and a true security auditor should catch that instantly and question why someone would be working so hard to cover up not actually fixing the problem. If this was a financial institution, this situation would warrant a pretty serious sit down and internal audit. In a normal SMB, it's just managers trying to not have to actually do hard work of investigating.
So the question you have to answer for yourself is... are you here to secure the environment to protect against what happened? Or are you here to simply action what you've been told to do and to ignore the problem?
If the former and the goal is actual security, you need to have a sit down, explain how security works, do a port mortem, show where the failure was and address the real problems which have literally nothing to do with port forwarding or RDP.
If the latter is the case, the simplest answer is just throw any VPN on and pretend that that is a magic fix and move on not letting on that you know that nothing has been addressed and it is all just being done to trick someone higher up the food chain who likely will never discover that he was being played - so it's generally completely safe to do this.
Red pill vs blue pill. Only you know what is important in your environment. It's almost certainly the latter, this is how SMBs tend to work. But in some cases, you might know the CEO or owner and know that they truly wanted someone to protect them and you can actually let them know the truth. But if you are insulated from them and you might get in trouble for exposing this kind of thing, just do the VPN and don't worry about it. If the owner cared he'd never let himself get insulated.
-
@scottalanmiller said in Is Spectrum's modem really bridged?:
This means that management is clueless and is working from "security theater." They don't understand what happened and instead of securing the system are trying to make a show of "changing things" without really securing anything.
A lot of it is politics and liability reasons. There's a lot of limits of what we "can" and "can't" do when it comes to providing solutions for our customers. One of the reasons why I'm here in this community is to look at things from "outside" the box and hopefully utilize the knowledge I gain from a group of IT professionals and implement it in my current job or somewhere else where ever the rabbit hole takes me (red pill )
-
@Fredtx said in Is Spectrum's modem really bridged?:
@scottalanmiller said in Is Spectrum's modem really bridged?:
This means that management is clueless and is working from "security theater." They don't understand what happened and instead of securing the system are trying to make a show of "changing things" without really securing anything.
A lot of it is politics and liability reasons. There's a lot of limits of what we "can" and "can't" do when it comes to providing solutions for our customers. One of the reasons why I'm here in this community is to look at things from "outside" the box and hopefully utilize the knowledge I gain from a group of IT professionals and implement it in my current job or somewhere else where ever the rabbit hole takes me (red pill )
Most companies prioritize politics over profits. It's sad, but the average business is driven by emotion not "doing business"
-
Scott is of course right in his explanation - but he's glossing over something. Many VPN clients allow you to save that savage password into the VPN client so it never has to be typed again.
So management might not want more complex passwords (or simply longer ones) that the staff (and themselves) have to use. instead they want to protect the border to the network with the VPN and it's client that holds the password. I don't believe the default Windows based RDP client will save the password - not that that alone would solve the problem, again, management likely doesn't want to type in a 18+ char password everytime they unlock their computer.
-
@Dashrender said in Is Spectrum's modem really bridged?:
Scott is of course right in his explanation - but he's glossing over something. Many VPN clients allow you to save that savage password into the VPN client so it never has to be typed again.
So management might not want more complex passwords (or simply longer ones) that the staff (and themselves) have to use. instead they want to protect the border to the network with the VPN and it's client that holds the password. I don't believe the default Windows based RDP client will save the password - not that that alone would solve the problem, again, management likely doesn't want to type in a 18+ char password everytime they unlock their computer.
But you are comparing a third party "option" vs. a perceived lack of first party option. To make this argument valid, you have to assume that you aren't using a specific VPN or using it in the same way as the RDP. Then you have to assume RDP done with a specific client in a specific way. So it isn't VPNs and RPD that are being compared, but using the full range of options of one, and limiting the other to one assumption.
In the real world, a specific VPN implementation might not allow saving passwords, and RDP most certainly does allow it (I use that feature all of the time.)
There is a false perception here of what a VPN will do and what RDP will do based on how the are "commonly seen", but it's really all myth.
But it is no the VPN or the RDP that creates the artefacts. We are confusing the means with the ends.
-
Even the Windows RDP client does allow saving creds, it's a commonly used setup.
https://www.nextofwindows.com/how-to-save-password-in-a-remote-desktop-connection-in-windows-8
-
@scottalanmiller said in Is Spectrum's modem really bridged?:
Even the Windows RDP client does allow saving creds, it's a commonly used setup.
https://www.nextofwindows.com/how-to-save-password-in-a-remote-desktop-connection-in-windows-8
lol I looked for that, but forgot to click advanced.
Still doesn't solve the problem using using a horrible password (length along is horrible to some) each time you want to log into your box.
-
@scottalanmiller said in Is Spectrum's modem really bridged?:
@Dashrender said in Is Spectrum's modem really bridged?:
Scott is of course right in his explanation - but he's glossing over something. Many VPN clients allow you to save that savage password into the VPN client so it never has to be typed again.
So management might not want more complex passwords (or simply longer ones) that the staff (and themselves) have to use. instead they want to protect the border to the network with the VPN and it's client that holds the password. I don't believe the default Windows based RDP client will save the password - not that that alone would solve the problem, again, management likely doesn't want to type in a 18+ char password everytime they unlock their computer.
But you are comparing a third party "option" vs. a perceived lack of first party option. To make this argument valid, you have to assume that you aren't using a specific VPN or using it in the same way as the RDP. Then you have to assume RDP done with a specific client in a specific way. So it isn't VPNs and RPD that are being compared, but using the full range of options of one, and limiting the other to one assumption.
In the real world, a specific VPN implementation might not allow saving passwords, and RDP most certainly does allow it (I use that feature all of the time.)
There is a false perception here of what a VPN will do and what RDP will do based on how the are "commonly seen", but it's really all myth.
But it is no the VPN or the RDP that creates the artefacts. We are confusing the means with the ends.
Sure - you're absolutely right - sadly.. that's a managers typical playground.
-
@Dashrender said in Is Spectrum's modem really bridged?:
@scottalanmiller said in Is Spectrum's modem really bridged?:
Even the Windows RDP client does allow saving creds, it's a commonly used setup.
https://www.nextofwindows.com/how-to-save-password-in-a-remote-desktop-connection-in-windows-8
lol I looked for that, but forgot to click advanced.
Still doesn't solve the problem using using a horrible password (length along is horrible to some) each time you want to log into your box.
Sure, but neither does a VPN. You can control the passwords in either case, or you can let the end user use horrible passwords in either case. The VPN doesn't change the basic issue.
-
@scottalanmiller said in Is Spectrum's modem really bridged?:
@Dashrender said in Is Spectrum's modem really bridged?:
@scottalanmiller said in Is Spectrum's modem really bridged?:
Even the Windows RDP client does allow saving creds, it's a commonly used setup.
https://www.nextofwindows.com/how-to-save-password-in-a-remote-desktop-connection-in-windows-8
lol I looked for that, but forgot to click advanced.
Still doesn't solve the problem using using a horrible password (length along is horrible to some) each time you want to log into your box.
Sure, but neither does a VPN. You can control the passwords in either case, or you can let the end user use horrible passwords in either case. The VPN doesn't change the basic issue.
Sure. and now we're just running in circles.
I did start by saying you are correct.
-
@Dashrender said in Is Spectrum's modem really bridged?:
@scottalanmiller said in Is Spectrum's modem really bridged?:
@Dashrender said in Is Spectrum's modem really bridged?:
@scottalanmiller said in Is Spectrum's modem really bridged?:
Even the Windows RDP client does allow saving creds, it's a commonly used setup.
https://www.nextofwindows.com/how-to-save-password-in-a-remote-desktop-connection-in-windows-8
lol I looked for that, but forgot to click advanced.
Still doesn't solve the problem using using a horrible password (length along is horrible to some) each time you want to log into your box.
Sure, but neither does a VPN. You can control the passwords in either case, or you can let the end user use horrible passwords in either case. The VPN doesn't change the basic issue.
Sure. and now we're just running in circles.
I did start by saying you are correct.
At the end, VPNs just don't solve those problems. A VPN's benefit is only in having a second mechanism, if it is kept completely decoupled from the original. But it's a poor approach when it is used to cover up a lack of security applied to the core protocol.