[4eyes] FW: [UCSB-OIT #1033886] Potentially Vulnerable Host(s) Running RDP
Matthew Turk
mturk at ucsb.edu
Tue Oct 3 11:14:00 PDT 2017
Please check to see if your machine is 128.111.26.198 or 128.111.26.96. If so, turn off Remote Desktop on those machines and then let Larry (larry at mat.ucsb.edu) know.
Thanks,
Matthew
-----Original Message-----
From: Larry Zins [mailto:larry at mat.ucsb.edu]
Sent: Tuesday, October 3, 2017 11:05 AM
To: Tobias Hollerer <holl at cs.ucsb.edu>; Matthew Turk <mturk at ucsb.edu>
Subject: Fwd: [UCSB-OIT #1033886] Potentially Vulnerable Host(s) Running RDP
Hi Matthew, Tobias - network managers across campus received an email this morning warning them that there is an on-going active exploit targeting computers that have a remote desktop service running on them. The two computers that were listed as having the RDP service turned on in the MAT subnets are in the FourEyes lab:
unity.mat.ucsb.edu
128.111.26.198
and
trustytahrpc.mat.ucsb.edu
128.111.26.96
Can you please notify your lab members, and ask them to turn off Remote Desktop on those two computers?
They can instead use the UCSB Campus VPN service, available from here:
http://www.ets.ucsb.edu/services/campus-vpn/get-connected
I would like to block access to the RDP service from remote locations to the MATP subnets as soon as possible. Can you please inform your lab that they should use the campus VPN service instead of using Remote Desktop directly from off-campus?
Please let me know when can I ask UCSB NOC to create an ACL to block access.
Thanks,
Larry
Media Arts and Technology
University of California
Santa Barbara, CA 93106
Phone: 805-893-3050
Web: www.mat.ucsb.edu
----- Forwarded Message -----
From: "security" <security at ucsb.edu>
To: "Larry Zins" <larry at mat.ucsb.edu>
Sent: Tuesday, October 3, 2017 10:15:33 AM
Subject: [UCSB-OIT #1033886] Potentially Vulnerable Host(s) Running RDP
Greetings,
We received the following email from the Research and Education Networking Information Sharing and Analysis Center (REN-ISAC). In addition the the information REN-ISAC provides in this report, it is worth noting that these hosts that have Remote Desktop (RDP) Service running and accessible to the world on the internet. Misconfigured RDP can allow miscreants access to the desktop of a vulnerable host and can also allow for information gathering on a target host as the SSL certificate used by RDP often contains the system's trivial hostname. You shoud consider restricting access to the RDP service to your departmental networks and to VPN users, if it is necessary for some users to have access from off-campus.
Now here is the report...
Greetings,
REN-ISAC received notice of a list of hosts that have RDP enabled and accessible to the internet. This list was given by a trusted third party who is tracking a hacking group who is using credentials that are possibly brute forced or purchased.
The actors steal data and then attempt to extort leaders inside the organization, threatening to release the data via multiple public channels. K20 is known to have been targeted. Confidential data is targeted, data that has the potential to be personally damaging. Including but not limited to targeting of students.
We have no additional information to provide at this time.
IP Address |Hostname |Certificate
128.111.26.198 |bsturm-laptop.mat.ucsb.edu |DESKTOP-ICRKDBO
128.111.26.96 |trustytahrpc.mat.ucsb.edu |BNWindowsPC
Please let us know if you feel you've received this report in error, or if we should direct future notifications to another address.
In order for the REN-ISAC to learn how we can best aid the education community with network security matters we'd greatly appreciate hearing back from you regarding action on this incident and how, if at all, this information proved useful.
soc at ren-isac.net
24x7 Watch Desk +1(317)274-7228
http://www.ren-isac.net
More information about the Ilab-users
mailing list