Port scan attacks: Protecting your business from RDP attacks and Mirai botnets
Compromised IP addresses and domains—otherwise legitimate sites that are exploited by hackers without the owner's knowledge—are frequently utilized to conduct port scanning attacks.
Port scanning involves systematically scanning a computer network for open ports, which can then be exploited by threat actors to gain unauthorized access or gather information about the system's vulnerabilities.
In this article, we will explain the two biggest threats utilizing port scanning attacks, RDP attacks and Mirai botnets, and how businesses can protect themselves using Malwarebytes for Business.
Compromised detections: RDP attacks and Mirai botnets
Cybercriminals typically conduct reconnaissance on the target port before using what are called dictionary attacks, entering and trying out known usernames and passwords to see if any of the combinations grant access.
The two most common detections of compromised IP addresses are systems scanning for open RDP (Remote Desktop Protocol) ports and IoT (Internet of Things) botnets, such as Mirai.
Remote Desktop Protocol is exactly what the name implies, a tool for remotely controlling a PC that gives you all the power and control you would have if you were actually sitting behind it—which is what makes it so dangerous in the wrong hands. In fact, one of the primary attack vectors for ransomware attacks has been the Remote Desktop Protocol (RDP).
RDP port scanners, often found in the form of compromised servers, scan the internet for open RDP ports by trying the default port for RDP, TCP 3389. The cybercriminals that control the compromised server then try to brute-force their way in, repeatedly entering common username and password combos to find RDP login credentials.
Other than RDP, cybercriminals often perform port scans for various other network protocols, including FTP (20/21), POP3 (110/995), IMAP (143/993), SMTP (25/465/587), and SQL (1433/1434/3306). Gaining access through RDP and other network protocols allows attackers to infiltrate systems and deploy various malware.
Mirai, on the other hand, is a botnet primarily composed of Internet of Things (IoT) devices such as IP cameras, routers, and other internet-connected devices. Mirai actively scans the internet for open telnet servers on ports 23 or 2323, and, upon discovering one, attempts authentication using known default credentials. Such credentials are easy to find in many IoT devices—they're often the prepackaged combination of "admin" and "admin" for both username and password whenever customers first purchase a product to set it up.
If successful in its malicious login attempts, Mirai compromises the device and integrates it into the existing botnet.
In addition to launching DDoS attacks, botnets like Mirai can aid hackers in weakening website security, stealing credit card information, and distributing spam.
Protecting your business with Malwarebytes for Business
Malwarebytes for Business offers a comprehensive solution to monitor and manage threats, including detections from compromised IP addresses scanning for and attacking open ports.
For example, Malwarebytes blocks the IP address 5.39.37.10 as it is associated with the Mirai botnet, and 81.198.240.73 because it has been found to be involved in RDP probes or attacks.
Brute Force Protection policies in Nebula, our cloud-hosted security platform, can be configured to specify which protocols to protect, the ports used (default or custom), and create trigger rules. If set to monitor and detect, the policy will not block the ports. However, if set to block, it will utilize the Windows Firewall to block communications based on the configured rules.
When a block is implemented, the offending IP address will be placed in a "jail" for a predetermined duration, such as 30 minutes as shown in the example screenshot above. Blocks last a max of 60 minutes because IP addresses might be reassigned to legitimate users, or an attacker may leverage a legitimate user's IP address.
There are two kinds of inbound connections that Malwarebytes can detect, Blocked Inbound Connections and Found Inbound Connections.
Blocked inbound connections
Detections with the following fields reported typically occur when a port is open and exposed to the internet:
-
Type: Inbound Connection
-
Action Taken: Blocked
These detections are prevented by the Web Protection real-time protection layer. When these detections occur, it means the IP address being blocked is scanning or attempting to force its way into the endpoint using different ports.
Malwarebytes blocks IP addresses that have a history of abuse and is correctly preventing malicious connections.
Found inbound connections
Detections with the following fields reported are typically a result of having open ports in the router or firewall:
-
Type: Inbound Connection
-
Action Taken: Found
-
Detection Name: RDP Intrusion Detection
These detections occur based on your Brute Force Protection trigger rule settings specified in the Nebula policy.
Configuring Brute Force Protection in Nebula
To configure Brute Force Protection in Nebula:
-
On the left navigation menu, go to Configure > Policies.
-
Select a policy, then select the Brute Force Protection tab.
-
Select the following protocols for your workstations or servers:
-
Workstation and server protocols: Check mark the RDP protocol.
-
Server-only protocols: Check mark the FTP, IMAP, MSSQL, POP3, SMTP, or SSH protocols.
-
Configure custom port settings based on your endpoint environment and protocol requirements.
-
Create a Trigger rule based on the number of failed remote login attempts within a certain minute range across all enabled protocols. Choose to either block the IP address or monitor and detect the event when the trigger threshold is reached.
-
Optionally, enable the option to Prevent private network connections from being blocked.
-
When enabled, endpoints within private network address ranges will not trigger Brute Force Protection due to failed login attempts. This excludes the following network ranges:
-
10.0.0.0/8 (10.0.0.0-10.255.255.255)
-
172.16.0.0/12 (172.16.0.0-172.31.255.255)
-
192.168.0.0/16 (192.168.0.0-192.168.255.255)
-
127.0.0.0/8 (127.0.0.0-127.255.255.255)
-
Click Save at the top-right of your policy.
Safeguarding your business from compromised threats
By leveraging Malwarebytes for Business' advanced threat detection and protection capabilities, businesses can effectively protect themselves against attacks that result from compromised IP addresses and domains, including RDP attacks (and attacks against other network protocols) and IoT botnets. Configuring Brute Force Protection in Nebula allows companies to stay one step ahead of cybercriminals and ensure the safety of their networks and data.
Protection from port scanning attacks is only one aspect of Malwarebytes for Business' multi-layered approached to defense, which includes an all-in-one endpoint security portfolio that combines 21 layers of protection.