CyberSecurity news

FlagThis - #rdp

@arstechnica.com //

Microsoft RDP Flaw Allows Login with Old Passwords - Microsoft has confirmed an RDP issue where old passwords still function for login, bypassing cloud verification and MFA, prompting a security expert to recommend reconsidering RDP use.
Microsoft is facing scrutiny over a design choice in its Remote Desktop Protocol (RDP) that allows users to log in with old, expired passwords. Security researcher Daniel Wade discovered that Windows RDP accepts previously used passwords, even after they have been changed or revoked. This means that if an attacker or unauthorized user once had access to a system and the password was cached, that old password remains valid for RDP login indefinitely, creating a potential "silent, remote backdoor." Microsoft has acknowledged this behavior, stating it's an intentional design decision to ensure at least one account can always log in, even if the system has been offline for an extended period.

Security experts are raising concerns about the security implications of this feature. David Shipley, head of Beauceron Security, suggests CISOs should reconsider using RDP, calling it a "really risky move." The vulnerability bypasses cloud verification, multifactor authentication (MFA), and Conditional Access policies, leaving systems vulnerable even if protective measures are in place. Analyst Will Dormann emphasizes that administrators expect revoked credentials to be unusable across the board, but this is not the case with RDP.

The discovery comes as Microsoft is actively pushing for a passwordless future. The company has already started defaulting new accounts to passwordless methods using passkeys, aiming to improve security and reduce phishing risks. Existing users can also switch to passwordless options in their account settings. However, the RDP flaw presents a contradictory security risk, as it undermines the trust users place in password changes and creates an avenue for unauthorized access via outdated credentials. Microsoft has stated it currently has no plans to change this behavior in RDP.

Recommended read:
References :
  • cybersecuritynews.com: Windows RDP Bug Allows Login With Expired Passwords – Microsoft Confirms No Fix
  • www.csoonline.com: CISOs should re-consider using Microsoft RDP due to password flaw, says expert
  • Davey Winder: Windows Warning — Microsoft Confirms Old Login Passwords Can Still Be Used
  • www.techradar.com: Microsoft RDP apparently lets you log in with expired passwords - and it apparently doesn't have plans to fix the issue
Pierluigi Paganini@Security Affairs //

Kimsuky APT Exploits Patched BlueKeep RDP Vulnerability in South Korea and Japan - The Kimsuky APT group, linked to North Korea, exploited a patched Microsoft Remote Desktop Services vulnerability (BlueKeep) to gain access to systems in South Korea and Japan.
The North Korean hacking group Kimsuky has been identified as the perpetrator of a new cyber espionage campaign, dubbed "Larva-24005," that exploits a patched Microsoft Remote Desktop Services flaw, commonly known as BlueKeep (CVE-2019-0708), to gain initial access to systems. According to a report from the AhnLab Security intelligence Center (ASEC), Kimsuky targeted organizations in South Korea and Japan, primarily in the software, energy, and financial sectors, beginning in October 2023. The campaign also extended to other countries, including the United States, China, Germany, and Singapore, indicating a broader global reach.

The attackers used a combination of techniques to infiltrate systems. While RDP vulnerability scanners were found on compromised systems, the report indicates that the actual breaches were not always initiated through the use of these scanners. Instead, Kimsuky leveraged phishing emails containing malicious attachments that exploited the Microsoft Office Equation Editor vulnerability (CVE-2017-11882) to distribute malware. Once inside, the attackers installed a dropper to deploy various malware suites, including MySpy, designed to collect system information, and RDPWrap, a tool that facilitates persistent remote access by modifying system settings.

To further their surveillance capabilities, Kimsuky deployed keyloggers such as KimaLogger and RandomQuery to capture user keystrokes. The group predominantly used ".kr" domains for their Command and Control (C2) operations, employing sophisticated setups to manage traffic routing and potentially evade detection. ASEC's analysis of the attackers' infrastructure revealed a global footprint, with victims identified in countries across Asia, Europe, and North America. The use of both RDP exploits and phishing suggests a versatile approach to compromising target systems, highlighting the importance of both patching vulnerabilities and educating users about phishing tactics.

Recommended read:
References :
  • securityaffairs.com: Kimsuky APT exploited BlueKeep RDP flaw in attacks against South Korea and Japan
  • The Hacker News: Kimsuky Exploits BlueKeep RDP Vulnerability to Breach Systems in South Korea and Japan
  • gbhackers.com: The AhnLab SEcurity intelligence Center (ASEC) has released a detailed analysis of a sophisticated cyber campaign dubbed “Larva-24005,†linked to the notorious North Korean hacking group Kimsuky.
  • securityonline.info: A new cybersecurity report from the AhnLab Security intelligence Center (ASEC) has shed light on a recently identified
  • Daily CyberSecurity: A new cybersecurity report from the AhnLab Security intelligence Center (ASEC) has shed light on a recently identified
  • ciso2ciso.com: Kimsuky APT exploited BlueKeep RDP flaw in attacks against South Korea and Japan – Source: securityaffairs.com
  • ciso2ciso.com: Kimsuky APT exploited BlueKeep RDP flaw in attacks against South Korea and Japan
  • www.csoonline.com: North Korea-backed Kimsuky targets unpatched BlueKeep systems in new campaign
  • www.scworld.com: Attacks with BlueKeep, Microsoft Office exploits launched by Kimsuky-linked group
  • www.csoonline.com: North Korea-backed Kimsuky targets unpatched BlueKeep systems in new campaign
  • bsky.app: Kimsuky group was observed using RDP to gain initial access and deploy malware in several high-profile breaches.
@www.bleepingcomputer.com //

Kimsuky APT Group Uses Custom RDP Wrapper - The Kimsuky hacking group uses custom RDP Wrapper and proxy tools to access infected machines, bypass security, and maintain persistent access via spear-phishing emails and malware.
The North Korean hacking group Kimsuky has been observed using a custom-built RDP Wrapper and proxy tools in recent cyber espionage campaigns. According to reports from the AhnLab Security Intelligence Center (ASEC), these tools enable the group to directly access infected machines and maintain persistent access, representing a shift in tactics from relying solely on noisy backdoors like PebbleDash. The group also utilizes the forceCopy stealer malware.

Kimsuky's attack strategy typically begins with spear-phishing emails containing malicious shortcut (.LNK) files disguised as legitimate documents. When opened, these files execute PowerShell or Mshta scripts to download malware, including the custom RDP Wrapper. This wrapper is designed to bypass security measures by modifying export functions, making it difficult for security tools to detect. The group also uses keyloggers to capture user keystrokes and proxy malware to bypass network restrictions, facilitating remote access to compromised systems even within private networks.

Recommended read:
References :
@www.bleepingcomputer.com //

Kimsuky Hackers Employ Custom RDP Wrapper for Access - Kimsuky APT employs custom RDP wrappers and proxy tools with spear-phishing tactics to gain unauthorized access for persistent cyber espionage.
The North Korean hacking group Kimsuky has been observed in recent attacks employing a custom-built RDP Wrapper and proxy tools to directly access infected machines. A new report by AhnLab's ASEC team details additional malware used by Kimsuky in these attacks, highlighting the group's intensified use of modified tools for unauthorized system access. This cyber espionage campaign begins with spear-phishing tactics, distributing malicious shortcut files disguised as legitimate documents to initiate the infection chain.

These files, often disguised as PDFs or Office documents, execute commands via PowerShell or Mshta to download malware such as PebbleDash and the custom RDP Wrapper, enabling remote control of compromised systems. Kimsuky's custom RDP Wrapper, a modified version of an open-source utility, includes export functions designed to evade detection by security software, facilitating stealthy remote access. In environments where direct RDP access is restricted, Kimsuky deploys proxy malware to bypass network barriers, maintaining persistent access and employing keyloggers and information-stealing malware to exfiltrate sensitive data.

Recommended read:
References :
  • asec.ahnlab.com: Having previously analyzed cases of attacks by the Kimsuky group that utilized the PebbleDash backdoor and a custom-made RDP Wrapper, a new blog post from AhnLab's ASEC team covers additional malware used by Kimsuky in attacks of the same type
  • cyberpress.org: North Korean Hackers Deploy Custom RDP Wrapper to Hijack Remote Desktop
  • www.bleepingcomputer.com: Kimsuky hackers use new custom RDP wrapper for remote access
  • BleepingComputer: The North Korean hacking group known as Kimsuky was observed in recent attacks using a custom-built RDP Wrapper and proxy tools to directly access infected machines.
  • securityonline.info: Kimsuky Group Leverages RDP Wrapper for Persistent Cyber Espionage
  • Cyber Security News: The North Korean cyber espionage group Kimsuky has intensified its use of custom-built tools, including a modified Remote Desktop Protocol (RDP) Wrapper, to gain unauthorized access to targeted systems.
  • Virus Bulletin: Having previously analysed cases of attacks by the Kimsuky group that utilized the PebbleDash backdoor and a custom-made RDP Wrapper, a new blog post from AhnLab's ASEC team covers additional malware used by Kimsuky in attacks of the same type.
  • Anonymous ???????? :af:: hacking group known as Kimsuky was observed in recent attacks using a custom-built RDP Wrapper and proxy tools to directly access infected machines.
  • securityonline.info: Kimsuky Group Leverages RDP Wrapper for Persistent Cyber Espionage
  • securityaffairs.com: Researchers spotted North Korea’s Kimsuky APT group launching spear-phishing attacks to deliver forceCopy info-stealer malware.
  • ciso2ciso.com: North Korean APT Kimsuky Uses forceCopy Malware to Steal Browser-Stored Credentials – Source:thehackernews.com
  • Thomas Roccia :verified:: Having previously analysed cases of attacks by the Kimsuky group that utilized the PebbleDash backdoor and a custom-made RDP Wrapper, a new blog post from AhnLab's ASEC team covers additional malware used by Kimsuky in attacks of the same type.
  • Know Your Adversary: Kimsuky Abuses RDP Wrapper in a Recent Campaign
  • ciso2ciso.com: Kimsuky APT group used custom RDP Wrapper version and forceCopy stealer – Source: securityaffairs.com
  • ciso2ciso.com: Researchers spotted North Korea’s Kimsuky APT group launching spear-phishing attacks to deliver forceCopy info-stealer malware.
  • BleepingComputer: Additional information on the malware used in Kimsuky attacks, including PebbleDash backdoor and custom-made RDP Wrapper.
  • securityaffairs.com: Researchers spotted North Korea’s Kimsuky APT group launching spear-phishing attacks to deliver forceCopy info-stealer malware.

Posts

Blogs

Research Tools