Last week, the US Department of Homeland Security warned of attackers using remote desktop servers to attack data centers.
"Due to the level of access gained before deploying ransomware, the issue cannot be resolved by simply restoring data from backup," the Cybersecurity and Infrastructure Security Agency said in its announcement.
To further obfuscate their activities, some attackers are writing their malware in Java, a language antivirus software doesn't typically scan for, according to researchers at BlackBerry and KPMG's UK Cyber Response Services.
"They don't see it as an executable file," Claudiu Teodorescu, director of threat hunting and intelligence at BlackBerry, said.
The Java Security Gap
The malware discovered by the BlackBerry and KPMG team, Tycoon, uses a Java image format to spread ransomware to both Window and Linux servers.
"Java uses that format internally to share functionality and share code to be used by developers," Teodorescu told DCK. "It's an internal format that's not very well documented."
This approach shows that the attackers are highly sophisticated, he said, and is the first instance he's seen where malware uses the Java JImage format to create a custom malicious Java Runtime Environment build.
Java is a common platform in enterprises, and many data centers have it on their white lists, allowing these applications to bypass security controls.
The malware was used as part of a sophisticated, targeted attack that was designed to spread to company servers, cripple operations, and generally wreak as much havoc as possible, "so that the company would pay," said Teodorescu.
Earlier versions of this ransomware had a flaw, so researchers were able to release a tool to help victims recover.
Companies could run the decryption tool and get their files back, said Eric Milam, VP of guard services at BlackBerry. But the latest versions of malware have corrected that flaw, and now there's no known way to get the files back, he told DCK.
"Either you have backups to restore from or you have to pay the ransom," he said.
Milam suggested that data center managers not wait for antivirus companies to figure out how to detect Java-based malware.
They should instead upgrade to a more modern endpoint detection and response system, he said.
"Behavioral analysis would catch this attack," he said. "Endpoint detection and response should be able to detect the behaviors executed at the endpoint and prevent them."
For example, the attackers were able to disable anti-malware solutions and change the passwords for Active Directory servers, locking legitimate users out of those systems.
Other Languages Targeted Too
Although BlackBerry and KPMG published their in-depth analysis of this attack earlier this month, the malware has been seen in the wild since at least late last year. So far, the number of victims has been limited.
Just blocking the Java language isn't typically an option, said Marcus Carey, author of "Tribe of Hackers" and enterprise architect at ReliaQuest, a cybersecurity company.
Java is just one of several languages data centers need to operate.
And it's not the only such language hackers are targeting, Carey told DCK. "Recently JavaScript, PowerShell, Python, and even the new Golang programming languages are used to write exploits."
Pandemic Expands Attack Surface
With more employees working at home due to the COVID-19 pandemic, companies are expanding their use of remote access solutions.
And that means not only remote desktop protocol servers, but also virtual network computing servers and commercial remote desktops like Citrix, said Saryu Nayyar, CEO at Gurucul, a cybersecurity vendor.
“These are all tools familiar to data center engineers who already perform many of their administrative functions remotely,” she told DCK. "So it's no surprise that malicious actors have focused more of their efforts towards these targets.”
Sometimes, the rollout of these tools is so urgent that basic security hygiene steps are overlooked. As a result, attackers who get their hands on stolen employee credentials can access the Remote Desktop Protocol servers that run virtual desktops and from there spread to other servers in the data center.
"People are trying to go as quickly as they can, as securely as possible, but when security is hard, it gets removed," said BlackBerry's Milam. "I still think that's a paradigm that we need to get over."
‘Basic Cyber Hygiene’ Applies
To protect against this attack, data center security managers should make sure that multi-factor authentication is enabled on all remote desktop servers.
"This is basic cyber hygiene," Milam said.
With multi-factor authentication, even if attackers had the user names and passwords, they would still not be able to access the accounts.
Second, he said, data centers should have segmentation in place, so that if attackers were able to infiltrate a remote desktop server, they wouldn't be able to spread to the rest of the data center's infrastructure.
Another way to protect remote desktop protocol servers is to monitor for suspicious login attempts, said Erich Kron, security awareness advocate at KnowBe4, a cybersecurity company.
For example, if attackers don't have access to actual login credentials from a particular employee, they might try commonly used passwords in combination with employee email addresses, or try credentials stolen from a different, unrelated breach.
"This technique is remarkably successful because people tend to reuse passwords in multiple places," Kron told DCK.
Data center managers should monitor login attempts, he said, and generate alerts whenever they see signs of a brute force attack, even if the attack occurs over a long stretch of time.
"Attackers know the common ports that remote desktop protocol servers run on and can easily find them on scans or through services such as Shodan," he said.
In addition, he said, data centers should consider having employees connect in via a VPN first.
In general, exposing servers to the internet is a bad idea, because even if all possible security measures are in place, there's no way to defend against brand new zero-day attacks.
