A few weeks ago, a ransomware attack hit major Japanese car manufacturer Honda. A similar attack struck the systems of Edesur, a distributor of electricity in Argentina owned by Enel Argentina, a green energy supplier.
The attack affected Honda’s ability to access its computer servers, email and internal systems, as well as impacting its production systems located outside of Japan, according to the BBC. This resulted in the suspension of production in North America, Turkey, Italy, Japan and the U.K. The company also temporarily shut down its customer and financial services operations. Honda stated that one of its internal servers was attacked externally, and that the virus had spread throughout its network.
In a comparison of malware samples targeting Honda and Enel posted online, Malwarebytes Labs found that the incidents may be tied to the EKANS/SNAKE ransomware family. EKANS includes not only traditional file encryption and ransomware note features, but also additional functionality that forcibly stops ICS-related (industrial control system) operational processes, according to a Dragos analysis. That could explain why this particular type of ransomware targeted both manufacturing and energy plants (Honda and Edesur).
How was the ransomware delivered? While many organizations are typically infected with ransomware via phishing emails, Malwarebytes Labs found that both companies had some machines with RDP (Remote Desktop Protocol) access exposed publicly to the internet.
While they can’t validate that it was the actual threat vector in this particular scenario, RDP is one of the most targeted methods to gain entry and infect systems with ransomware, as I wrote about previously in Top Security Threats: Detecting Ransomware Tactics.
A Coveware report from 2019 found that RDP was one of the most common attack vectors for ransomware, accounting for 57% of all infections, followed by phishing 26%.
While RDP should never be internet-facing, as it’s not a secure method of remote management, there are occasionally misconfigurations that may leave it open. In Verizon’s 2020 Data Breach Investigations Report (DBIR), they noted that errors (or misconfigurations) are now equally as common as social breaches, and more common than malware, spanning every industry. They cite the increase over time since 2017 largely due to internet-exposed storage discovered by security researchers and third parties.
Detecting RDP Misconfigurations and Connections
To help your team quickly respond to any risky connections that could result in potential ransomware infection, Blumira can detect and alert on any unauthorized access attempts. Our platform prioritizes the threats and notifies your responders of any public IPs attempting to connect via RDP to your network.
For automated threat response, you can follow our step-by-step workflows to take immediate action. With Blumira’s Dynamic Block List, you can block the public source IPs from connecting to your network via RDP and reduce your overall attack surface.
By integrating automated threat detection, correlation, analysis, hunting, response and remediation all in one platform, you can ease the burden on your limited IT or security staff, while detecting any indications of ransomware early enough to contain its impact on your company.
Video: Replace Your SIEM With Automated Detection & Response – SIEMs provide a lot of complexity with little security value. See how Blumira’s modern security platform provides threat detection and response, with security orchestration and automation built into one simple platform.
Webinar: How to Automate Threat Detection & Response – Join Blumira’s VP of Ops Patrick Garrity for an overview of how to automate your threat detection & response with Blumira’s modern security platform.
Detecting RDP Attacks With Honeypots – See our honeypot data on remote access attack trends against RDP since the start of the pandemic and rise in remote work, and join our webinar to learn more.