Home
Join
check
  • I would wonder why PCs are used for hosting and not servers and VMs at that - most ransomware will detect the 'virtual' state and make a guess the server is a sandbox, often not running at all - more advanced ransomware will simply do more checks, but many wont.

    Whatever the devices are, ensure they and the 3rd party software are patched, if there is any use of Java do check it is not Log4J vulnerable and patch it immediately.

    Pepper graySpice (5) flagReport
    2 found this helpful thumb_up thumb_down
  • View Best Answer in replies below

    8 Replies

    • spicehead-i2xqq wrote:

      We have a network of 2 Windows PCs on the web through a router.

      How are they on the internet? What services are they hosting?

      spicehead-i2xqq wrote:

      We do not have port 3389 forwarded on the router, only port 443, to this machine..

      So you have PCs hosting webservices?

      Was this post helpful? thumb_up thumb_down
    • How Does Phobos Ransomware Spread?

      Much like other cyber-threats, Phobos ransomware infects devices and potentially spreads across the entire network in five main ways:

      • unprotected remote desktop protocol (RDP) connections,
      • brute-forced remote desktop protocol credentials,
      • stolen RDP credentials bought on the black market,
      • patch exploits and other software vulnerabilities and phishing campaigns

      It can also use vulnerabilities, I would assume in both windows and the applications being used.

      Pepper graySpice (3) flagReport
      1 found this helpful thumb_up thumb_down
    • Dang, that was fast. Yes, it absolutely is hosting a web service using a vendor's software over port 443.

      I'll definitely take a closer look at that. I guess the RDP port doesn't have to be internet facing for this ransomware. Thank you.

      -John

      Was this post helpful? thumb_up thumb_down
    • I would wonder why PCs are used for hosting and not servers and VMs at that - most ransomware will detect the 'virtual' state and make a guess the server is a sandbox, often not running at all - more advanced ransomware will simply do more checks, but many wont.

      Whatever the devices are, ensure they and the 3rd party software are patched, if there is any use of Java do check it is not Log4J vulnerable and patch it immediately.

      Pepper graySpice (5) flagReport
      2 found this helpful thumb_up thumb_down
    • You didn't ask this, but having RDP enabled alone would not allow hackers or malware to successfully exploit the host. Some other vulnerability had to be present.  Figure out what it was, if you don't know already, and make sure you mitigate that issue or it will just happen again.

      Pepper graySpice (2) flagReport
      1 found this helpful thumb_up thumb_down
    • Thank you. To help "figure out what it was," is there a user-friendly software tool that can probe all ports and look for vulnerabilities by giving it my public-facing IP address?

      Thanks.

      -John

      Was this post helpful? thumb_up thumb_down
    • spicehead-i2xqq wrote:

      Thank you. To help "figure out what it was," is there a user-friendly software tool that can probe all ports and look for vulnerabilities by giving it my public-facing IP address?

      Thanks.

      -John

      There are many tools, however if someone downloaded a malicious email or visited a malicious link, none of the tools scanning your public IP will help you, as the threat would have been initiated by a user, not an attack on your public services.

      While many tools exist, they also expect you to understand them and the risks associated with them, my suggestion would be (and it's not free), get someone to run a pen test both internal and external for you and give you a report on their findings. Use this report as your starting guide. Rinse and repeat quarterly, bi-annually or annually as needed.

      If you must do it yourself, do note that you also accept the risks and consequences.

      Tools like Greenbone vulnerability manager, Nessus, Qualsys, Microsoft Defender (E3 or above I believe) and many others exist.

      Do also  note that most of these tools are not really 'user' friendly as they are meant for IT people with experience to both understand them and know how to deal with the problems highlighted.

      Was this post helpful? thumb_up thumb_down
    • Never figured out the source. Ended up disabling all port forwarding and figuring out a different way to do this.

      Was this post helpful? thumb_up thumb_down

    Read these next...