Author Topic: RDP Brute Force Attacks on my PC - caused monitors to flash black  (Read 2290 times)

0 Members and 1 Guest are viewing this topic.

Offline Bicurico

  • Frequent Contributor
  • **
  • Posts: 991
  • Country: pt
    • VMA's Satellite Blog
RDP Brute Force Attacks on my PC - caused monitors to flash black
« on: September 15, 2019, 12:16:24 am »
Hi,

I am describing this, just in case someone is suffering from the same.

It started some weeks (months) ago with my monitors to flash briefly occasionally. It is as if the screen went black for a fraction of a second. Otherwise all was working. Just this annoying flash.

It got worse with time and tonight I decided to tackle the problem.

My PC has 3 monitors attached (via HDMI, DVI and VGA), using a Asus GeForce GTX660 graphics card).

I tried this:

1) Update the driver. No effect.
2) Turned on each monitor, then using only one monitor a tine. No effect.
3) Rebooted. No effect.
4) Unplugged the PC (a lot of work, as it crammed with cards and has a ton of cables attached - under the table). Plugged it into a totally different monitor with a different cable. No effect.
5) Replaced the graphics card with a Nvidia Quadro. No effect. STRANGE!!! At this point I thought that the GTX660 was broken.
6) Thought it might be due to hot weather and PC getting too hot. Rearraged the cards so that the GPU would have better airflow. No effect.
7) Put back PC in its place under the table, connected all cables, while wife was complaining about the noise... Still no effect.
8 ) Considered reinstalling the whole Windows HDD, but was not into that. So I did a reboot into Safe Mode with Network. Strange: apparently the problem was fixed here. Must be a software issue?
9) Spent ages killing processes and stopping services. No effect.
10) Had finally a good idea: looked at the Event Log of Windows. There was a strange entry (cnvwmi service_control_sessionchange). Looked it up and got some hints it might have to do with RDP? WHAT??? That cannot be. Can it? Could this be someone trying to RDP to my computer and doing a brute force password attack? Disabled the network and guess what: the flashing was gone!
11) Activated network and flashing was back. Every 1-5 seconds the monitors would flash briefly (black). So I went to my router settings and disabled the RDP forwarding to my computer. Problem solved.

So: there are ASSHOLES trying to do brute force attacks on all IP's that offer RDP and this causes the screen to flicker/flash due to the way Microsoft implemented the login routine.

The debate is not how secure my password is - apparently it is good enough to not have been hacked.

The thing is: how do you guys get into your computers remotely over the internet? I use that A LOT.

Kind of sucks having to turn off RDP. Can I change the port number to something exotic? If so, how? --> https://tunecomp.net/change-remote-desktop-port-windows-10/

Just found this: https://www.zdnet.com/article/a-botnet-is-brute-forcing-over-1-5-million-rdp-servers-all-over-the-world/

Regards,
Vitor
« Last Edit: September 15, 2019, 12:20:16 am by Bicurico »
 
The following users thanked this post: 3roomlab

Offline Monkeh

  • Super Contributor
  • ***
  • Posts: 6393
  • Country: gb
Re: RDP Brute Force Attacks on my PC - caused monitors to flash black
« Reply #1 on: September 15, 2019, 12:20:13 am »
Don't expose RDP...

Just use a VPN.
 
The following users thanked this post: amyk, janoc, bitwelder, Red Squirrel, Kilrah, Mr. Scram

Offline Bicurico

  • Frequent Contributor
  • **
  • Posts: 991
  • Country: pt
    • VMA's Satellite Blog
Re: RDP Brute Force Attacks on my PC - caused monitors to flash black
« Reply #2 on: September 15, 2019, 12:26:11 am »
Considering the same level of password strength, what is the difference of using VPN over RDP, when we are talking about automated brute force attacks against IP's which offer these services?

Thanks,
Vitor

Offline Dundarave

  • Regular Contributor
  • *
  • Posts: 113
  • Country: ca
Re: RDP Brute Force Attacks on my PC - caused monitors to flash black
« Reply #3 on: September 15, 2019, 12:41:17 am »
Changing the RDP port number is a trivial but effective way of minimizing RDP attacks:  there are like ~63k port number choices (staying out of the under-1k range), so choosing one of them makes it more likely that an RDP brute force bot will just move on to the next IP address. 
 

Offline Monkeh

  • Super Contributor
  • ***
  • Posts: 6393
  • Country: gb
Re: RDP Brute Force Attacks on my PC - caused monitors to flash black
« Reply #4 on: September 15, 2019, 12:46:03 am »
Considering the same level of password strength, what is the difference of using VPN over RDP, when we are talking about automated brute force attacks against IP's which offer these services?

Thanks,
Vitor

Your password does not measure up to a proper key exchange, so don't use passwords. And, well, you'll no longer have an RDP service exposed which can cause you problems when people attempt, successfully or otherwise, to attack it..
 

Offline Red Squirrel

  • Super Contributor
  • ***
  • Posts: 2459
  • Country: ca
Re: RDP Brute Force Attacks on my PC - caused monitors to flash black
« Reply #5 on: September 15, 2019, 02:00:10 am »
Don't expose RDP to the internet.  At very least setup a SSH gateway so you can use a SSH tunnel, or VPN. Make sure you have fail2ban setup to block brute force attempts on SSH or VPN.   Though TBH I don't feel comfortable exposing VPN either as it's a very complex protocol making it more plausible to have exploits that can be attacked.  Remember heartbleed?   Though one thing you can do is setup an HTTPS web page with an authentication app, you put in credentials, then it would open up the VPN port for your IP for a time frame like 12 hours.   Then you VPN in as normal.  Been wanting to look into this myself for my house but have not gotten around to it yet.  Just adds an extra layer of security.
 

Offline DimitriP

  • Super Contributor
  • ***
  • Posts: 1118
  • Country: us
  • "Best practices" are best not practiced.© Dimitri
Re: RDP Brute Force Attacks on my PC - caused monitors to flash black
« Reply #6 on: September 15, 2019, 02:14:34 am »
Quote
CVE-2019-0708 | Remote Desktop Services Remote Code Execution Vulnerability
Security Vulnerability
Published: 05/14/2019
MITRE CVE-2019-0708
A remote code execution vulnerability exists in Remote Desktop Services – formerly known as Terminal Services – when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

To exploit this vulnerability, an attacker would need to send a specially crafted request to the target systems Remote Desktop Service via RDP.

The update addresses the vulnerability by correcting how Remote Desktop Services handles connection requests.


Patch was released  for supported AND unsupported (XP and server 2003) windows systems .

https://msrc-blog.microsoft.com/2019/05/14/prevent-a-worm-by-updating-remote-desktop-services-cve-2019-0708/

https://support.microsoft.com/en-us/help/4500705/customer-guidance-for-cve-2019-0708
   If three 100  Ohm resistors are connected in parallel, and in series with a 200 Ohm resistor, how many resistors do you have? 
 

Online OwO

  • Super Contributor
  • ***
  • Posts: 1130
  • Country: cn
  • RF Engineer @ OwOComm. Discord: スメグマ#2236
Re: RDP Brute Force Attacks on my PC - caused monitors to flash black
« Reply #7 on: September 15, 2019, 02:56:44 am »
There are remote code execution exploits in RDP and SMB ALL THE TIME. There's a reason people recommend having a firewall, and if you simply forward those ports you defeat the point of the firewall. I highly recommend wiping that drive on another system booted into a linux live cd because with certainty it is already infected.
Discord: スメグマ#2236
Email: OwOwOwOwO123@outlook.com
GitHub: gabriel-tenma-white
 
The following users thanked this post: Mr. Scram

Offline amyk

  • Super Contributor
  • ***
  • Posts: 6809
Re: RDP Brute Force Attacks on my PC - caused monitors to flash black
« Reply #8 on: September 15, 2019, 04:18:28 am »
Never expose any services to the Internet written by Microsoft. That's been my rule and it's worked well for the last few decades. A NAT router keeps you safe by default, but using RDP through the Internet is a horrible idea. If you must, and don't have a router, then at least configure the firewall to block connections except those from IPs you know you'll be connecting from.
 
The following users thanked this post: nctnico, OwO

Online nctnico

  • Super Contributor
  • ***
  • Posts: 19669
  • Country: nl
    • NCT Developments
Re: RDP Brute Force Attacks on my PC - caused monitors to flash black
« Reply #9 on: September 15, 2019, 05:00:10 am »
Never expose any services to the Internet written by Microsoft. That's been my rule and it's worked well for the last few decades. A NAT router keeps you safe by default, but using RDP through the Internet is a horrible idea. If you must, and don't have a router, then at least configure the firewall to block connections except those from IPs you know you'll be connecting from.
Never expose anything at all. Always use a VPN for stuff like RDP.
There are small lies, big lies and then there is what is on the screen of your oscilloscope.
 

Offline Whales

  • Frequent Contributor
  • **
  • Posts: 989
  • Country: au
    • Halestrom
Re: RDP Brute Force Attacks on my PC - caused monitors to flash black
« Reply #10 on: September 15, 2019, 05:24:59 am »
Considering the same level of password strength, what is the difference of using VPN over RDP, when we are talking about automated brute force attacks against IP's which offer these services?

To answer your question by translating what other people have been saying: RDP has a lot more attack surface than (a good) VPN daemon. 

Ie the security gates provided by both a VPN and RDP might look similar and may even require the same password, but the fences are different.  One is designed to be simple and solid, the other has decades of holes and fixes (+ a stepladder sitting next to it from the last contractor).

Being able to make your monitors flicker is damn scary.  That means that they can execute all sorts of interesting RDP-related stuff even without correct login creds. 

I'll agree with some others here: nuke and pave that computer.  Don't trust it's not infected, the first malware through would intentionally patch the holes behind it to avoid takeover by another vendor.

Online BravoV

  • Super Contributor
  • ***
  • Posts: 6781
  • Country: 00
  • +++ ATH1
Re: RDP Brute Force Attacks on my PC - caused monitors to flash black
« Reply #11 on: September 15, 2019, 05:43:34 am »
Do you hook up your pc directly to the net ?  :o

Consider buy those cheap wifi router, most have decent built in nat, firewall and.most modern ones have vpn.

Pretty easy to setup, and one.time job, once vpn-ed, basically your devices connected thru internet is like in your local net.

Google vpn for noob, looking at your past posts, pretty confident its within your skill set.
« Last Edit: September 15, 2019, 05:49:26 am by BravoV »
 

Offline legacy

  • Super Contributor
  • ***
  • !
  • Posts: 4415
  • Country: ch
Re: RDP Brute Force Attacks on my PC - caused monitors to flash black
« Reply #12 on: September 15, 2019, 08:00:05 am »
there is too much crap on the internet nowadays  :palm:
 

Offline Halcyon

  • Global Moderator
  • *****
  • Posts: 3951
  • Country: au
Re: RDP Brute Force Attacks on my PC - caused monitors to flash black
« Reply #13 on: September 15, 2019, 08:04:34 am »
Don't expose RDP to the internet.

This! Cyber security 101.
 

Offline legacy

  • Super Contributor
  • ***
  • !
  • Posts: 4415
  • Country: ch
Re: RDP Brute Force Attacks on my PC - caused monitors to flash black
« Reply #14 on: September 15, 2019, 08:07:56 am »
Never expose any services to the Internet written by Microsoft. That's been my rule and it's worked well for the last few decades. A NAT router keeps you safe by default, but using RDP through the Internet is a horrible idea. If you must, and don't have a router, then at least configure the firewall to block connections except those from IPs you know you'll be connecting from.
Never expose anything at all. Always use a VPN for stuff like RDP.

You cannot have VPN in any Sun's OEM partners produced Wi-Fi "RDP-terminal-in-laptop-shape" versions of Sun Ray:
  • Comet 12 - Sun Ray 12" notebook produced by General Dynamics
  • Comet 15 - Sun Ray 15" notebook produced by General Dynamics
  • Jasper 320 - Sun Ray 2 notebook produced by Naturetech
  • Amber 808 - Sun Ray 2 tablet produced by Naturetech
  • Opal 608 - Sun Ray 2 tablet produced by Naturetech
  • Gobi 7 - Sun Ray 2 notebook produced by Aimtec
  • Gobi 8 - Sun Ray 2 notebook with 3G support produced by Aimtec
  • Ultra ThinPad - Sun Ray 2 notebook produced by Arima
  • Ultra ThinTouch - Sun Ray 2 tablet produced by Arima
  • UltraSlim - Sun Ray 2 variant produced by Arima
  • Tadpole M1400 - Sun Ray 2 notebook with 3G support produced by Tadpole

These machines cannot be updated to have a built-in VPN. So, you need to bring a little Linux router with you, and to put it between the internet and your RDP-laptop.
 

Offline Bicurico

  • Frequent Contributor
  • **
  • Posts: 991
  • Country: pt
    • VMA's Satellite Blog
Re: RDP Brute Force Attacks on my PC - caused monitors to flash black
« Reply #15 on: September 15, 2019, 08:10:08 am »
Hi,

Just to clear up a few things:

My PC is NOT connected "directly" to the internet. It is behind a router that only forwards RDP to my computer. I do that because I need it: for work and hobby related reasons I require to access my computer through RDP frequently. When in need, I neet it to be fast: I sometimes use for example CAD/CAM software through RDP. If I tunel that through my VPN server, which I have, also, the speed drops considerably.

Also, having to first do VPN is not an option because the computers from which I need to access mine would require me to setup said VPN connection (not always possible due to lack of admin priviledges). Some networks I am in do not allow the use of VPN - it is filtered.

I consider that my RDP password is strong to not be included in any list and long enough to not succumb to any brutforce attack in reasonable time.

My computer uses Windows 10 and is always updated. Currently running 1903.

I am sure that my computer has not been hacked or hijacked. I believe that I just suffered from automated attacks testing passwords on my standard RDP port (which I changed yesterday).

What was driving me mad was the flicker/black flashing of the screens! This has now fortunately stopped. I think you are all aware that any internet access (through modem or router) will constantly be probed by bots doing attacks. There is simply no way of avoiding this and the protection consists in using a propper router without known issues in the firmware, not forwarding unnecessary ports and using a modern, updated operating system. Anyone pointing the finger at me and using Windows XP, Windows Vista, Windows 7 or even Windows 8 should consider updating their OS first.

And yes, I do know that a SECURE computer should not have an open RDP port pointing at it. I know that a even more secure computer should not be connected at the internet at all. Even better, not connected to any network and not allowed to stick any USB devices in it. The most secure computer would be the one always turned off...

And no, it is not an option for me to switch to Linux (which I use, too, occasonally), because many software application and cards fitted on my computer are not supported by Linux.

Anyway, thanks for the suggestions (I mean it, no scarasm here).

Regards,
Vitor
« Last Edit: September 15, 2019, 08:14:13 am by Bicurico »
 

Offline Bicurico

  • Frequent Contributor
  • **
  • Posts: 991
  • Country: pt
    • VMA's Satellite Blog
Re: RDP Brute Force Attacks on my PC - caused monitors to flash black
« Reply #16 on: September 15, 2019, 08:20:44 am »
I now simulated the RDP access and found out that I am to blame for this:

I had the option "Allow connetions only from computers running Remote Desktop with Network Level Autentication (recommended)" switched off.

This will allow RDP to connect to the remote login screen even if user/password is wrong and indeed causes a flash on the host monitors. It still won't allow any access, but every login attempted causes a small flash.

Activating this option will produce a connection failure on the client and NOT flash the hosts screens.

Regards,
Vitor

Offline janoc

  • Super Contributor
  • ***
  • Posts: 3105
  • Country: fr
Re: RDP Brute Force Attacks on my PC - caused monitors to flash black
« Reply #17 on: September 15, 2019, 10:19:25 am »
And you don't even know when someone is remotely executing code on your PC due to some yet unpatched bug (there are legions of those in both Windows and RDP itself).

Problem is not someone cracking your password but hacking into your machine through bugs in the exposed service, without needing any login.

Let's hope you have good backups ...


If you have such requirements that you have to have access to your home machine at work/client place and you cannot have VPN there, then buy a cheap 3G/LTE modem, stick that into your laptop and run your VPN over that, bypassing the client's network. It is safer for both your home machine and the client if you don't access "random" computers from their company's network. I am sure that if I was the IT guy there I wouldn't be happy about you doing that (viruses spreading, corporate secrets leaking, possible regulatory issues in some industries, etc ...).

BTW, just to be clear - by VPN one doesn't mean various "VPN" services used to bypass e.g. regional restrictions on Netflix. That's not really secure (you aren't controlling both end points) and is slow because it often takes a trip around half of the globe. Not a problem for streaming but a killer for interactive use. By VPN one means running your own VPN server at home and connecting to that. Either using something like OpenVPN or SSH tunnel. That's plenty fast if your connection is fast enough (i.e. if you are on an usual residential DSL with just 1Mbit upload you may want to upgrade to a faster one).
« Last Edit: September 15, 2019, 10:29:59 am by janoc »
 

Offline Halcyon

  • Global Moderator
  • *****
  • Posts: 3951
  • Country: au
Re: RDP Brute Force Attacks on my PC - caused monitors to flash black
« Reply #18 on: September 15, 2019, 10:34:22 am »
Just be mindful that exposing services to the internet, regardless if you have the strongest password known to man, is still a significant risk (particularly if you're using older versions of servers/daemons/protocols).

There is a long list of known RDP vulnerabilities which might not necessarily apply to you right now, but who knows when the next one will be discovered.

If you have absolutely no other choice but to expose those services, then take additional precautions such as making sure that machine is on its own VLAN, there is no direct connection between that system and other important systems, consider an IDS and keep everything updated/patched.
 

Offline DimitriP

  • Super Contributor
  • ***
  • Posts: 1118
  • Country: us
  • "Best practices" are best not practiced.© Dimitri
Re: RDP Brute Force Attacks on my PC - caused monitors to flash black
« Reply #19 on: September 15, 2019, 10:55:40 am »
All this is nice and good.
But  there is work to be done  that's where risk vs reward comes in.

I don't go shopping in a tank, wearing bullet proof vest and I don't have a decontamination chamber at the entrance to my house either. I don't even own a Geiger counter.

Instead of chastizing users for not using a VPN yada yada yada, not exposing services to the internet (what's the f*&* is the point of having services if you can't use'em?) chastize MS for not having corrected their issues sometime in the last 20 years or so !!!

As for using a "modern" operating system, that's a load of c*&p as well, case in point in May they patched summarily everything from XP all the way to windows 10
But I am not worried because we are told every new version is more secure than the previous version. (Except for the security holes that exist in all of them )
At least this time they couldn't blame it on "old" "32 bit code".
Idiots!

 
   If three 100  Ohm resistors are connected in parallel, and in series with a 200 Ohm resistor, how many resistors do you have? 
 

Offline janoc

  • Super Contributor
  • ***
  • Posts: 3105
  • Country: fr
Re: RDP Brute Force Attacks on my PC - caused monitors to flash black
« Reply #20 on: September 15, 2019, 11:23:45 am »
We can rant about Microsoft's incompetence all the day long but:

a) That will not help the user at all
b) Even non-Microsoft products have critical bugs

Security is a process, not a one-off thing you turn on and forget about or a magic gizmo you buy from someone and be done with it.
 

Offline Bicurico

  • Frequent Contributor
  • **
  • Posts: 991
  • Country: pt
    • VMA's Satellite Blog
Re: RDP Brute Force Attacks on my PC - caused monitors to flash black
« Reply #21 on: September 15, 2019, 12:59:12 pm »
It is a bit like DimitriP says: what's the point of having a service like RDP if you cannot put it to use.

Example: the ID managers at the Univeristy, where I work as an invited professor, have tighten the network to such an extend, that VPN is not possible, nor can you send files to students (teachers and students are on separate networks), etc. It is TOO tight to be used properly. Many software applications don't work because of this and had to installed inside Virtual Machines! But even so, every year they suffer from security breaches. Mostly because someone did something stupid from within (openend an attachment, basically).

The same with bigger customers of ours with IT department and all kind of bells and whistles, security wise. They were caught by ransomware, never the less.

That makes me rember the Bastard Operator From Hell (BOFH) who lives by the motto: a secure computer system is one that nobody has access to use.

At some point you have to trust that Microsoft implemented their functionality like RDP correctly and without bugs.

The ones suggesting I format the HDD and reinstall Windows (which would be a task taking at least 2 days to have my system fully installed and configured) say so because I noticed that attacks were ATTEMPTED on my open RDP port.

But: similar attacks are done to all possible ports, too!

How can I be sure that my router does not have a vulnearbility? It was provided by the ISP, so I cannot control if the FW is updated nor can I update it myself.

The same for Windows in gerneral: I would say that by just using any browser you can suffer from drive-by attacks where you just open a webpage and wham - you have some mallicious code running on your computer!

So should we all format our computers on a weekly basis?

I am happy my screen is not flashing anymore, I am sure that I suffered no infection from any malicous code and even if I have, I do have several backups of my data, including a HDD locked in a safe. Reinstalling Windows at the SLIGHTEST suspicion (i.e. without noticing ANY strange behaviour) is in my opinion counter-productive. But I guess that is just my opinion.

Regards,
Vitor

« Last Edit: September 15, 2019, 01:01:26 pm by Bicurico »
 

Offline DimitriP

  • Super Contributor
  • ***
  • Posts: 1118
  • Country: us
  • "Best practices" are best not practiced.© Dimitri
Re: RDP Brute Force Attacks on my PC - caused monitors to flash black
« Reply #22 on: September 15, 2019, 01:26:50 pm »
Quote
The same with bigger customers of ours with IT department and all kind of bells and whistles, security wise. They were caught by ransomware, never the less.

It's amazing, isn't it? 
Sometimes it seems security is measured by the degree of user inconvenience. Until they get hit anyway and then all you are left with is the inconvenience.

   If three 100  Ohm resistors are connected in parallel, and in series with a 200 Ohm resistor, how many resistors do you have? 
 

Offline DimitriP

  • Super Contributor
  • ***
  • Posts: 1118
  • Country: us
  • "Best practices" are best not practiced.© Dimitri
Re: RDP Brute Force Attacks on my PC - caused monitors to flash black
« Reply #23 on: September 15, 2019, 01:31:24 pm »
Quote
We can rant about Microsoft's incompetence all the day long but:

a) That will not help the user at all
b) Even non-Microsoft products have critical bugs

Yeah...treating the cause if overrated. It's easier to take care of the symptom. Just look at how the computer protection industry has flourished. It's a win-win I tell'ya!   :palm:
   If three 100  Ohm resistors are connected in parallel, and in series with a 200 Ohm resistor, how many resistors do you have? 
 

Offline janoc

  • Super Contributor
  • ***
  • Posts: 3105
  • Country: fr
Re: RDP Brute Force Attacks on my PC - caused monitors to flash black
« Reply #24 on: September 15, 2019, 05:05:34 pm »
Yeah...treating the cause if overrated. It's easier to take care of the symptom. Just look at how the computer protection industry has flourished. It's a win-win I tell'ya!   :palm:

How exactly would pointlessly ranting about Microsoft here "treat the cause", mind you?  :-//

I am sure their CEO is reading EEVBlog and is now all scared because we have uncovered their incompetence that was a secret until now.  :palm:
 
The following users thanked this post: Mr. Scram


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf