Spyware 201

Couperin47

Member
SoSH Member
Russia has developed a cyberweapon that can disrupt power grids, according to new research --https://www.washingtonpost.com/world/national-security/russia-has-developed-a-cyber-weapon-that-can-disrupt-power-grids-according-to-new-research/2017/06/11/b91b773e-4eed-11e7-91eb-9611861a988f_story.html?tid=hybrid_mostsharedarticles_2_na&utm_term=.c2a6ebc02dfa

The article also includes the following: "The malware samples were first obtained by ESET, a Slovakian research firm, which shared some of them with Dragos. ESET has dubbed the malware Industroyer."

Is that the same ESET?
Yes
 

DamageTrain

Well-Known Member
Silver Supporter
SoSH Member
Sep 29, 2014
234
Vermont
Russia was probing my ports! (And it didn't feel that good.)

I was checking the reason for a failed backup on my Windows box when luckily I noticed many failed logins and remote desktop access failures in the event log. Apparently for several days my remote desktop logins have been under brute-force attack. I logged into my server and found the same thing. The IP addresses that are the source of the attack point to Russia and Ukraine.

So I shut down remote desktop access to both machines. Set up a IP-address specific firewall in case it needs to get turned on for any reason. (I haven't been using it much recently anyway.) I had mapped RDA to an alternative port, but that was weak security at best. I also looked at the logs of logins on both machines and there were no unrecognized successful logins. I ran a virus and root-kit scan just in case, that came out clean.

I think I got lucky -- I suggest shutting down remote desktop access unless you're actively using it, or setting up a firewall exception that only lets known IP addresses through.
 

santadevil

Well-Known Member
Silver Supporter
SoSH Member
Aug 1, 2006
4,652
Saskatchestan
Russia was probing my ports! (And it didn't feel that good.)

I was checking the reason for a failed backup on my Windows box when luckily I noticed many failed logins and remote desktop access failures in the event log. Apparently for several days my remote desktop logins have been under brute-force attack. I logged into my server and found the same thing. The IP addresses that are the source of the attack point to Russia and Ukraine.

So I shut down remote desktop access to both machines. Set up a IP-address specific firewall in case it needs to get turned on for any reason. (I haven't been using it much recently anyway.) I had mapped RDA to an alternative port, but that was weak security at best. I also looked at the logs of logins on both machines and there were no unrecognized successful logins. I ran a virus and root-kit scan just in case, that came out clean.

I think I got lucky -- I suggest shutting down remote desktop access unless you're actively using it, or setting up a firewall exception that only lets known IP addresses through.
Thanks for that. I've got a computer I remote into from time to time at home as well
I'll make that change