Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

4/17/2012
09:54 AM
Dark Reading
Dark Reading
Products and Releases
50%
50%

Emsisoft Warns Of A New Windows Servers Threat: Poor Password Policies Open The Gates For Hackers

A hacker group is currently attacking Windows Servers running publicly accessible Remote Desktop and Terminal Services

SALZBURG, Austria, April 16, 2012 /PRNewswire/ -- Emsisoft has been keeping track of a current wave of attacks on Windows Servers - many affected companies and persons from all over the world have come to Emsisoft asking for help.

The attacks are aimed at Windows Servers running publicly accessible Remote Desktop and Terminal Services. They are infiltrated via dictionary based brute-force attacks on several common user names. Especially servers operated by smaller or one man companies do not always insist on enforcing rigid password policies or IP-restricted access to sensitive services, making them easy prey for the hacker group.

Once the hackers have gained access to the system, they install the ransomware ACCDFISA, which was recently released in its 4th generation. ACCDFISA drops three malicious components on the system. The most dangerous one of them: A crypto malware, installed as a service.

The crypto malware used by ACCDFISA attempts to delete backups on the infected system and uses the popular packer WinRAR to move important files belonging to certain industry software solutions as well as files with certain file extensions into encrypted RAR archives. The ransom note, left by the hackers in the form of a screen locker that stops victims from accessing their systems and the installed program. After 24 hours the initial ransom doubles from US $500 to US $1000 and after another 48 hours the passwords are supposedly deleted from the hackers records as well. As AES encryption is used, it is rather unlikely to gain access to the files without the correct password.

Christian Mairoll, CEO of Emsisoft, a Windows security software company, says: "Installed anti-virus or anti-malware software is of little use here. The hackers log onto the server via remote desktop connection. They are interacting with the system as if they were directly sitting in front of the PC. They disable anti-virus software and install the malware. We therefore advise all administrators to only use secure passwords complex enough for remote access."

For more information visit: http://blog.emsisoft.com

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
Slideshows
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
Commentary
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-26077
PUBLISHED: 2021-05-10
Broken Authentication in Atlassian Connect Spring Boot (ACSB) in version 1.1.0 before 2.1.3 and from version 2.1.4 before 2.1.5: Atlassian Connect Spring Boot is a Java Spring Boot package for building Atlassian Connect apps. Authentication between Atlassian products and the Atlassian Connect Spring...
CVE-2021-31755
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setmac allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31756
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /gofrom/setwanType allows attackers to execute arbitrary code on the system via a crafted post request. This occurs when input vector controlled by malicious attack get copie...
CVE-2021-31757
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setVLAN allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31758
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setportList allows attackers to execute arbitrary code on the system via a crafted post request.