Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
September 18, 2023
Severity Medium Analysis Summary Lumma is an information stealer that is sold as a Malware-as-a-Service (MaaS) on Russian-speaking underground forums and Telegram. Lumma is an information […]September 18, 2023Severity Medium Analysis Summary CVE-2023-4948 CVSS:4.3 WooCommerce CVR Payment Gateway Plugin for WordPress could allow a remote attacker to bypass security restrictions, caused by missing capability […]September 18, 2023Severity High Analysis Summary Microsoft has stated that a ransomware group working with an initial access broker has recently started using Microsoft Teams for their phishing […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
September 18, 2023Severity Medium Analysis Summary Lumma is an information stealer that is sold as a Malware-as-a-Service (MaaS) on Russian-speaking underground forums and Telegram. Lumma is an information […]September 18, 2023Severity Medium Analysis Summary CVE-2023-4948 CVSS:4.3 WooCommerce CVR Payment Gateway Plugin for WordPress could allow a remote attacker to bypass security restrictions, caused by missing capability […]September 18, 2023Severity High Analysis Summary Microsoft has stated that a ransomware group working with an initial access broker has recently started using Microsoft Teams for their phishing […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Rewterz Threat Advisory – CVE-2019-3462 – Critical flaw in Linux APT Package Manager could Allow Remote Hack
January 25, 2019Rewterz Threat Advisory – Microsoft Exchange Sever 2013 CU21/ 2019/ 2016 CU11 API call privilege escalation
January 28, 2019
In the Remote Desktop Services component of Microsoft Windows, the Remote Desktop Protocol can be used by attackers to switch from backdoors to using direct RDP sessions for remote access, once they have gained foothold in a compromised system.
Threat actors may use Network tunneling and port forwarding to take advantage of firewall “pinholes” (ports not protected by the firewall that allow an application access to a service on a host in the network protected by the firewall). The pinholes are used to establish a connection with a remote server blocked by a firewall, which is used as a transport mechanism to send or “tunnel” local listening services (located inside the firewall) through the firewall, making them accessible to the remote server (located outside the firewall).
Attackers also use utilities like Plink to create encrypted tunnels that allow RDP ports on infected systems to communicate back to the attacker command and control (C2) server.
communications being sent through the tunnel using port forwarding from the attacker C2 server.
RDP sessions allow lateral movement in an environment, for which native Windows Network Shell (netsh) command can be used to utilize RDP port forwarding as a way to access newly discovered segmented networks reachable only through an administrative jump box.
For example, a threat actor could configure the jump box to listen on an arbitrary port for traffic being sent from a previously compromised system. The traffic would then be forwarded directly through the jump box to any system on the segmented network using any designated port, including the default RDP port TCP 3389. This way, threat actors can spread across allowed network routes.
IMPACT
Network security bypass
REMEDIATION
- Disable the remote desktop service on all end-user workstations and systems for which the service is not required for remote connectivity.
- Enable host-based firewall rules that explicitly deny inbound RDP connections.
- Prevent the use of RDP using local accounts on workstations by enabling the “Deny log on through Remote Desktop Services” security setting.
- Where RDP is required for connectivity, enforce the connection to be initiated from a designated jump box or centralized management server.
- Employ the “Deny log on through Remote Desktop Services” security setting for privileged accounts (e.g. domain administrators) and service accounts, as these types of accounts are commonly used by threat actors to laterally move to sensitive systems in an environment.