1

One of our servers got infected with ransomware last week (Matrix, .Grhan). The server allowed remote desktop connection from outside on the default port, which was a big security hole (and also, the account lockout policy was not set).

I looked at the windows event logs and found their bruteforce tries, it got so many login failed entries, that I only have logs for the last few days before the attack. They managed to find the password of a user who set it to something really easy to bruteforce. One of the things I noticed that they seem to knew our usernames and I wonder how. They tried a bunch of random names too, but most of the tries were for existing usernames (I exported the names to a text file and made a report from it, counting each try for each name. Almost 90% of the tries went to existing usernames).

How is that possible? I read the answer here, but our server is a Windows Server 2016. I ran two scripts made for taking remote desktop screenshots and could not connect. One of them mentioned that NLA is enabled on the server.

appl3r
  • 133
  • 3

1 Answers1

1

You are assuming they extracted the names from the server. If they did it would not make sense to try any other names as well.

It is more likely the list of names was obtained via a different method, for example a leaked list of email addresses.

Jeff
  • 3,599
  • 4
  • 17
  • 23
  • The two most tries are for users who are real windows users, but are not used as e-mail address and they could not guess from publicly published information. My first guess was someone opened something on the network which could potentially sniff such data from somewhere, but I have no idea where to start to find it. All of the client have malwarebytes installed and running and have some kind of antivirus enabled. – appl3r Jan 28 '19 at 08:05
  • @appl3r Jeff's answer is a good guess, but if you are sure that it was not possible that, then you should update your question. – Tom K. Feb 26 '19 at 11:06
  • I installed server 2016 on a VPS and within 5 minutes my very hard to guess username was showing up as failed login in the event viewer. This server was only online 30 minutes so what is going on with default server 2016 install that allows enumeration of user names? – jjxtra Apr 20 '22 at 00:04