Possible New Zero Day Microsoft Windows 3389 vulnerability - outbound traffic 3389

James_Braunegg · January 13, 2012, 12:36pm

Hey All,

Just posting to see if anyone has seen any strange outbound traffic on port 3389 from Microsoft Windows Server over the last few hours.

We witnessed an alarming amount of completely independent Microsoft Windows Servers, each on separate vlan and subnets (ie all /30 and /29 allocations) with separate gateways on and completely separate customers, but all services were within the same 1.x.x.x/16 allocation all simultaneously send around 2mbit or so data to a specific target IP address.

The only common link was / is terminal services port 3389 is open to the public. Obviously someone (Mr 133t dude) scanned an allocation within our network, and like a worm was able to simultaneously control every Microsoft Windows Server to send outbound traffic.

Microsoft Windows Servers within the 1.x.x.x/16 allocation which were behind a firewall or VPN and did not have public 3389 access did not send the unknown traffic

Would be very interested if anyone else has seen this behavior before ! Or is this the start of a lovely new Zero Day Vulnerability with Windows RDP, if so I name it "ohDeer-RDP"

A sample of the traffic is as per below, collected from netflow

Source Destination Application Src Port Dst
x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 51534 TCP
x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 52699 TCP
x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 60824 TCP
x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 51669 TCP
x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 49215 TCP
x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 62099 TCP
x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 65429 TCP
x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 51965 TCP
x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 50381 TCP
x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 59379 TCP
x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 58103 TCP
x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 59514 TCP
x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 58298 TCP

This occurred around 10:30pm AEST Friday the 13th of January 2012

We had many other Microsoft Windows Servers in other 2.x.x.x/16 IP ranges which were totally unaffected.

Kindest Regards

James Braunegg
W: 1300 769 972 | M: 0488 997 207 | D: (03) 9751 7616
E: james.braunegg@micron21.com<mailto:james.braunegg@micron21.com> | ABN: 12 109 977 666

[Description: Description: Description: M21.jpg]

This message is intended for the addressee named above. It may contain privileged or confidential information. If you are not the intended recipient of this message you must not use, copy, distribute or disclose it to anyone other than the addressee. If you have received this message in error please return the message to the sender by replying to it and then delete the message from your computer.

Erik_Soosalu · January 13, 2012, 1:17pm

Wouldn't this just be an indication of that block being scanned for open
3389 ports from that IP? You're just looking at the return traffic to
the scanning host.

James_Braunegg · January 13, 2012, 1:28pm

Dear Erik

2mbits to 4mbits of outbound traffic is a fair bit for just a port scan..

We saw around 100ks of inbound traffic to each server and around 2mbits to 4mbits outbound traffic from the servers to the same destination 58.162.67.45

The traffic pattern occurred for around 30 minutes and then simultaneously every host (server) stopped sending traffic.

Kindest Regards

James Braunegg
W: 1300 769 972 | M: 0488 997 207 | D: (03) 9751 7616
E: james.braunegg@micron21.com | ABN: 12 109 977 666

This message is intended for the addressee named above. It may contain privileged or confidential information. If you are not the intended recipient of this message you must not use, copy, distribute or disclose it to anyone other than the addressee. If you have received this message in error please return the message to the sender by replying to it and then delete the message from your computer.

Erik_Soosalu · January 13, 2012, 1:38pm

I would agree that it is a large stream.

The other thing would be a password crack attempt. There was tool out a couple of years, and I've forgotten the name of it now, that worked at brute forcing RDP passwords. It worked without ending up in the Windows logs, because at the time Windows would only log incorrect RDP password attempts on the 5th try. So it would try 4 passwords, disconnect and then connect again.

If it was such a program, trying as fast as it could, there would be a lot of initial "screen renders" being sent to the attack IP with very little traffic coming back - just the login attempts.

Thanks,
Erik

Alex_Brooks · January 13, 2012, 1:38pm

Hello,

Mark_Keymer · January 13, 2012, 5:02pm

Hi,

We have had 2 of the below hit us this week. First time was apx 11:20am 1/10/2012 (PST). The 2nd was 1/12/2012 (Yesterday) 4:45pm. We had done some research and had already planed to switch to Network Level Authentication (NLA) as it looks like that would help with the screen not getting dumped. Unfortunately we had not done the change to that yet as we were getting looking for and found a new RDP client on linux that would support it. However last night we did start doing the changes to NLA.

I am not saying NLA is a fix or that it is the best option. Just one of the things we are trying. When we can, locking down access to the RDP port I think would be best.

Ohh, as for the destination. The first day was to 221.251.194.42. Yesterday was for 115.236.185.167.

Sincerely,

Mark Keymer

Jerry_Dixon · January 13, 2012, 5:07pm

Another possibility is the use of this tool as well:
http://www.sensepost.com/labs/tools/pentest/reduh (Reduh)

Jerry
jerry@jdixon.com