Thursday, 29 June 2017

Cyber Attack Crypto locking



  Early one morning this week I sat at my desk and  did CTR ALT DEL to log on to my own machine and Oh locked out who has been trying to get into my PC. I RDP  in to the domain controller  off another machine  and reset my account back to the PC, Locked out!.Back to the domain controller unlock it and back to the PC locked out! Now enough is enough I opened security log on the DC and there it was some thing was trying to access my account. Rather than mess about I quickly deleted my user account and recreated it with new credentials, JOB DONE. After a look around it was found that the RDP port was being used to try and access the system using my username, All RDP ports were closed and that was that.

We then notice that the router\firewall had over 6000 sessions open to one machine, more ports closed web server reboot and job done.

Next morning with crypto lock running around my head I checked the security logs, on the DC there it was Logon failure after logon failure. Usernames in Alphabetical order trying 6 or 7 times every minute then a new logon name and around we go. Now this is an old 2003 server so had now up to date AV or Patches everything we tried could not stop this, Somewhere on the machine was a Trojan trying to find a way in or is it out.
No new AV would go on the machine because of the age of the operating system no amount of looking could find this thing, Well what to do, take a spare or slightly used machine  promote it to a DC and turn the other off and disconnect it from the world. Reboot all the domain machines to pick up the new DNS and DCHP Job done two days of HELL.

WHY US

  1.       Old unpatched operating system.
  2.       No Anti virus because non available for old machine.
  3.       Lack of Firewall security, got one not configured properly.
  4.       Lack of security full stop.
The moral of this
Listen to the experts we should have had up to date operating systems full patched. The best AV and only approved web sites be allowed. Having watched the usernames that where being used to try to access the system tougher usernames need to be used ie joe.bloggs not just joeb.

You must be able to sell the security of your servers and data to the person that hold the purse strings because without them you are not patched and naked,

We got away with it this time and there will not be a next time.







 
-
Labels: , , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Multi Point USB Charger

  USB Plug Charger, 4-Port USB Fast Charger Plug with 33W Intelligent Quick Charge 3.0 Wall Charger, Multi USBPower Adapter UK Fast Charging...

  • DCOB Fault
    If DCOB Fault comes on your main phone this means that there is no external lines available and you will need to call you service pro...
  • Emergencies go bag(s)
      Today, emergencies happen often. Below is a list of emergency supplies that you should have available. This list is not made in stone. For...
  • Datepart in Crystal Reports
    Crystal Reports datepart is slightly different than  SQL and VB Interval type            Description yyyy                          Extr...