: A cloud services provider headquartered in the Washington D.C. metro area served an end customer with EventTracker SIEM who had installed traditional anti-virus software and implemented six firewalls as well as 25 servers and workstations across their three office locations.
: Open RDP (Remote Desktop Protocol) ports are undesirable but often a convenience for the MSP to remotely login and manage Windows endpoints. Basic password hygiene is in place to protect these open ports.
: The EventTracker SOC (Security Operations Center) observed the execution of a new EXE which in turn launches PowerShell commands and connects to an IP address with a poor reputation.
: The process was confirmed as malware by VirusTotal
. Sadly, this malware is not detected by many well-known anti-virus products. Left unchecked, this malware scans for open RDP ports
and brute forces its way in. It encrypts files, appending .fox, to the file name. For persistence, the malware disables startup repair
, deletes volume snapshots, and schedules itself. It also communicates extensively with C&C (Command & Control) devices.
: The EventTracker SOC promptly alerted the MSP to quarantine the machine and re-image it. It is important to close RDP ports as they can be used to attack a machine remotely.
: Open RDP ports are a convenience for MSPs. However, convenience is the enemy of security.