RM SERVER ATTACKS

EM36

BDA Wizard
CS Forums $upporter
Joined
Mar 27, 2019
Messages
572
on Feb 17 there was a ransomware attack on an RM server in Beaverton Oregon. This was a brand new system not even accepted yet. It happened again on June 1. No-one knows how they did it I guess. They wiped the server immediately instead of paying. This was imo dumb because they lost any archival info they had...

This was supposedly not connected to the outside world and it's possible someone was infected and logged into the server through rdp etc.

I post this here to make sure people see this. Backup your servers and if possible close any unused ports etc.
 

RFI-EMI-GUY

Prolific Contributor
CS Forums $upporter
Joined
Mar 8, 2014
Messages
1,183
on Feb 17 there was a ransomware attack on an RM server in Beaverton Oregon. This was a brand new system not even accepted yet. It happened again on June 1. No-one knows how they did it I guess. They wiped the server immediately instead of paying. This was imo dumb because they lost any archival info they had...

This was supposedly not connected to the outside world and it's possible someone was infected and logged into the server through rdp etc.

I post this here to make sure people see this. Backup your servers and if possible close any unused ports etc.
And so it begins!

I remember when Smartnet systems were the rage and we worried about someone, disgruntled tech, 2600 hacker freaks, dialing the system management modem (2400 baud) and guessing the fixed default password. The accepted practice was to unplug the modem unless "Sham"burg needed to access it. (virtually never unless they sent a firmware upgrade and crashed the system). Then all the P25 systems became dependent upon the internet and firewalls and virus protection became a source of more revenue for Motorola.
 

brett

Contributing Member
CS Forums $upporter
Joined
Oct 8, 2016
Messages
56
Just heard about this a few days ago from CISA during a meeting.

Indeed keep your ports closed to the outside.
Proper segmentation.

Ransomware propagating through a network and taking out an LMR system would be quite the story.
Luckily in their event, sounds like it did not make it too far and communications were not impacted.
 

com501

Prolific Contributor
CS Forums $upporter
Joined
Jan 18, 2013
Messages
2,908
And so it begins!

I remember when Smartnet systems were the rage and we worried about someone, disgruntled tech, 2600 hacker freaks, dialing the system management modem (2400 baud) and guessing the fixed default password. The accepted practice was to unplug the modem unless "Sham"burg needed to access it. (virtually never unless they sent a firmware upgrade and crashed the system). Then all the P25 systems became dependent upon the internet and firewalls and virus protection became a source of more revenue for Motorola.
Nothing like finding a modem and typing $MASTER$ to see if you can log in....
 

Notarola

Prolific Contributor
CS Forums $upporter
Joined
Feb 4, 2012
Messages
2,280
I head about the meat packers attack.

So many systems are vulnerable because of the arrogance of the admins. Our system is fine its PWed. Who would want to hack it anyway.

Ransomware and DOS attacks are common today. The truly smart admins have a rotating PW in place as well as a vetted list of people who are allowed access. plus ALL databases are backed up on a standalone drive/server. As well as common sense access control like limited login attempts, IP logging or validation. Tiered access levels. Time of day checks or windows. The list goes on. You will note that most if not all of these precautions are in place to access these forums. WHY... Because the admins here are not dummies, they take their responsibilities seriously and are proactive to protect us, the site and the database.

What really annoys me is paying the ransom. If above precautions were in place the potential victim could simply say FU, fix the access problem and reload from the backup system.

You guys reading this ask yourself is your CPS, codeplugs and related files backed up? Is it encrypted against theft. What about the computer your reading this on. If its not wake up and get it done.

A location near me has been attacked and has payed ransom 3 times to three different groups. The ransom was in bitcoin. Rumor has it in the last attack the system PW was the city name and the user was the mayors name spelled backwards. ANNND.... there was no limit to the attempts to access the system (1AM -5:30AM) or IP tracing. STUPID STUPID STUPID. Incompetence at this level should be criminal.
 

Keith

Contributing Member
Joined
Oct 19, 2020
Messages
42
Yeah, I can't tell you the last time I saw a truly "closed" system. I actually remember,, I just can't say.
In truth, I have been in the same building as a truly closed system. To the point that all network cables were in conduit that the joints in the conduit were sealed with security tape seals and any conduit that was in a closed area, that was still reasonably accessible had CCTV camera's on the conduit. Now, mind you, this system was NOT a single site system that only existed in one room, it reached every corner of the US and it was ALL this secure. The server racks were actually safes that had dual combination locks. I had never seen a safe with vents before and had blowers in it. I wasn't told much... just that it was a VERY secure system.
The problem with RM and other servers that have a client / server based system on them... especially RM, is that you can't reasonably lock them down. The USB ports on the computers need to be enabled if they are running the programming client. So anyone with a thumb drive can dump something either on purpose or by accident on the local PC that is networked to the server. Once on the local PC, unless the integrator is above average in their IT security skills and willing to take the time to secure the server, then everything just gets left open. I see so few network guys that will turn off the simple shit like the C$ share on a server or PC. Let alone locking all ports down and ONLY allowing the specific ports needed to have a system work and nothing else. Most will use the server to share out the client software so it's easy to access. So the drive access opened up to at minimum to any user with a standard login. And remember that worms and other malware on a local PC will hang out on said PC waiting for an opening. So if Joe user with his infected thumb drive shows his buddy the boobie pics he has and that infects the local machine. Once Adam the Admin logs into that computer and the drive access for the server opens it's doors, the crap gets filtered up the line and the real fun begins.

Now part of the problem here is labor cost. When the radio vendor wants 4 hours of labor to secure the system to avoid all this, the customer gets it in their head that it's just radios, it's not worth the hassle. Second is these are RADIO techs NOT seasoned and trained IT security professionals that understand the methods and configurations needed to secure a network, or at least the server they are installing. And calling RM server a "server" is a bit of a stretch. Most implementations of RM are done on a Windows 10 box and not a server operating system, again to save money. Since it's running on some desktop and not server hardware for the most part, it's not going to be on a VM. One of the things with VM's is the ability to secure them individually. So if you take the scenario above with the sharing of the client software. If you have CM container A running RM and VM container B doing the file sharing you can secure at the port level either through the OS or a seperate VM container running a firewall application that can control access to the RM and ONLY allow the needed traffic to flow and NO 138 / 139 SMB traffic to get to the server. In fact it can be configured that the server will not appear on the network. You close all ports. NO ping reply, no nothing. You have the ports needed for the job processor client and NOTHING else. But again,,, all this takes time and money to properly implement and the other part is that unless it's done with consideration to both best achievable security and usability for the end user, the system will be so difficult to work with that the customer will be unhappy with needed to jump through a lot of unneeded hoops to use the system.

Now if you want to play around with making a server REAL secure. Understand there are levels to that.
First is simple... physical security. Put it in a locked room, in a locked cabinet, in a locked building. Have the standard physical security stuff on that building.
Camera's, alarm system. Fence, guards. Go watch the YouTube video of the security of a Facebook data center. But you need to control physical access to the box.
As mentioned before... I have been a room that had a server rack that was built into a large safe that the cables coming in and out were all in conduit. It's actually impressive.

Second is network access security... and this is where you can play at home. Build up a box with enough memory and drive space that will run ESXI or some form of VMware.
The first container should be a firewall appliance that is specifically written to protect other VM containers on the box. It will basically sit between the network and the containers running the various servers. This type of firewall is no different than the firewall that sits between the Internet and your home network and typically is going to be a much better firewall as most off the shelf Internet gateway firewalls are not stateful packet inspection. What that means is that if you send data from a node on a network (PC) to another node on a network and with that protocol there is an expected response. Like when you send a ping request, there will be data come back. But you can also send ping replys to a node (part of a DDOS attack) without the request being send by that node first. Stateful Inspection will know that no ping request was sent from that node and will drop the reply packets to that node because it's in the wrong state. Good firewalls will do this. Low tier stuff, not so much. But the firewall with a default config will allow NO traffic to flow in ANY direction to or from the VM containers behind it. So if you are wanting to run an FTP server. You can open the port specifically for FTP (20 and 21) and attempt to FTP to the box (remember to have an ftp server running on that server) it will allow you to connect, but if you ping it, attempt to map drives to it, SSH to it, or anything besides FTP the firewall will just drop the packets and the server will never even see the traffic. Knowing how all this works can come in handy if you are working on a network and having issues connecting. As you progress with your firewall configuration skills, you will find that you can limit access by IP subnet or even to a single IP address. Another thing that is possible is implementing Radius logins for the network. This will create a prompt for a username and password before you even get to access the server. Creating another layer of security.

The third thing with network security is monitoring. Monitoring or intrusion detection is where you create logs and alarms with the firewall and other software applications that look at the traffic, access requests and the sources of those requests. Situations like having someone from the outside world attempting to SSH into your servers that face out to the Internet that are not the normal users. For the home player, you would use the IP's for your phone, tablet and possibly the outgoing address for your place of business if you are trying to access it from there. QUICK NOTE.... for anyone that works for a company that has sensitive data like a bank. ALL your activities are LOGGED by your employer. Attempting to SSH from inside your company to your home network is a HUGE no no. You may well be fired for doing it so DON'T ever attempt it. If you are unsure, ask before playing with this sort of stuff from your office. For those of you that have your OWN business, it's your network,, but if you work for others, creating secure tunnels out to your home can get you sent packing. YOU have been warned. That being said. You can configure your Intrusion detection to ignore certain IP addresses and / or subnets but alert on all others, or specific others. All my Internet facing firewalls are configured to drop all traffic from Russia and China. You can look up the specific subnets for each country on the internet and put them in the Intrusion detection and firewall configurations to do this. It saves alot of CPU cycles on the border firewalls (Internet facing) by seeing the traffic and just dropping it. The intrusion detection system has them in case something passes through, but that is very seldom, and is typically because the firewall doesn't have the latest blocking subnet list in it and the intrusion detection does. Higher end firewalls will also have intrusion detection built in and will dump the logs to a server if you configure them to do so... for a home network, it's really pointless as no one is gonna care that some hacker in China was trying to access your Quake server. It's just not something the FBI computer crimes division is gonna get involved in.

But play with this stuff. go do some research on hacking, how to mitigate it and then try it at home. Try to force access to your server and then try securing it and have another go at attempting to break into it. The key thing is see if you can get it to work right to the PC's that SHOULD have access and denied all others.

But having expectations that the run of the mill radio tech is gonna lock down an RM server, well I guess you can dream
 

sloosecannon

Contributing Member
CS Forums $upporter
Joined
May 18, 2019
Messages
79
on Feb 17 there was a ransomware attack on an RM server in Beaverton Oregon. This was a brand new system not even accepted yet. It happened again on June 1. No-one knows how they did it I guess. They wiped the server immediately instead of paying. This was imo dumb because they lost any archival info they had...

This was supposedly not connected to the outside world and it's possible someone was infected and logged into the server through rdp etc.

I post this here to make sure people see this. Backup your servers and if possible close any unused ports etc.
If it's not connected to the outside world, how would someone RDP to it?

(Not calling you out of course, I've heard that kind of thing far too often... "The server is disconnected from the internet.... Except for that RDP connection, the VPN connection, the software updates, the active directory domain, the backup VPN link, the...")
 

SwissMoto

Prolific Contributor
CS Forums $upporter
Joined
Jun 8, 2012
Messages
151
Also good practice is to completely close your firewall for inbound connection attempts from the internet.
Of course you will need to create firewall exception rules to enable system management access for your authorized IP address pool.
 

max2770

Contributing Member
Joined
Feb 4, 2020
Messages
63
Zero-trust 2FA, ideally physical token access for stuff you need exposed to WAN (and I mean public facing stuff, never management).

VPN for everything else, ideally authenticated by login + certificates, so trusted computers only.

My current infrastructure uses containers, whatever is public facing is behind a layer of authentication (Windows AD login + Yubikey), and only authorized laptops have VPN certs and again need to use their AD credentials with it to access the backend full network.

This could never work on a properly built infrastructure.
 
OP
EM36

EM36

BDA Wizard
CS Forums $upporter
Joined
Mar 27, 2019
Messages
572
If it's not connected to the outside world, how would someone RDP to it?

(Not calling you out of course, I've heard that kind of thing far too often... "The server is disconnected from the internet.... Except for that RDP connection, the VPN connection, the software updates, the active directory domain, the backup VPN link, the...")
This is something I'm not able to talk about in a public forum.
 

RFI-EMI-GUY

Prolific Contributor
CS Forums $upporter
Joined
Mar 8, 2014
Messages
1,183
This is interesting:


But if you want to install malware in an airgapped computer system there is always the time tested lost USB stick found in the parking lot trick. That malware can be ransomware as well. No need for the target to be on the internet to do the nasty.
 

SPECIAL_EYE

Prolific Contributor
CS Forums $upporter
Joined
Jun 25, 2012
Messages
295
For those of you at home (or small business) you really should look into running openwrt or DD-WRT firmware on your router(s). DD-WRT is commonly used on Broadcom chip-sets and openwrt on Atheros chip-sets.

These are firmware updates to the routers that turn a consumer grade router into a commercial grade router (or better). All the logging mention above is available to even an WRT-54G or a DIR-615. If you run new hardware it gets even better.

The next time you go out to purchase a router look at the compatibility table for openwrt or DD-WRT;



Consumer router manufactures are like anything else, money spent on hardware then the firmware, usually enough firmware to get it out the door. If you have a commercial (hardware) router these firmware also improve those as well. Seriously look at this if you run stock firmware on your router.

EYE
 

Sean

Contributing Member
Joined
Feb 4, 2014
Messages
41
It was also brought up at the MTUG Quality meeting last week. Lots of questions from system owners. Not a lot of answered from MSI. The agency in question has offered to brief MTUG at their national meeting in August. Should be interesting.
 

RFI-EMI-GUY

Prolific Contributor
CS Forums $upporter
Joined
Mar 8, 2014
Messages
1,183
I am not surprised that MSI has clammed up.

This ransomware situation is only going to get worse due to the US-Russia political climate. It is only a matter of time when mission critical systems get targeted.

When Motorola announced their " Mission Critical Ecosystem " one should have been wary that all sorts of nasty critters might be lurking within it. This concept of " CONNECTIVITY WITH NO LIMITS " is a dangerous one. Motorola wants complete control of your system from birth to death under a planned obsolescence formula. There needs to be an air gapped alternative for those who wish to buy/own/break/fix/protect their own system on their own terms. Unfortunately it will likely cost more because that is the way /\/\ rolls.
 

phonebuff

Prolific Contributor
CS Forums $upporter
Joined
Nov 10, 2013
Messages
725
For those of you at home (or small business) you really should look into running openwrt or DD-WRT firmware on your router(s). DD-WRT is commonly used on Broadcom chip-sets and openwrt on Atheros chip-sets.

EYE

Or pfSense, opnSense, Untangle and a long list of other open source products including in the DD-WRT router world Tomato.
 

lubindent

Contributing Member
Joined
Sep 30, 2014
Messages
27
Now if you want to play around with making a server REAL secure. Understand there are levels to that.
First is simple... physical security. Put it in a locked room, in a locked cabinet, in a locked building. Have the standard physical security stuff on that building.
Camera's, alarm system. Fence, guards. Go watch the YouTube video of the security of a Facebook data center. But you need to control physical access to the box.
As mentioned before... I have been a room that had a server rack that was built into a large safe that the cables coming in and out were all in conduit. It's actually impressive.

Second is network access security... and this is where you can play at home. Build up a box with enough memory and drive space that will run ESXI or some form of VMware.
The first container should be a firewall appliance that is specifically written to protect other VM containers on the box. It will basically sit between the network and the containers running the various servers. This type of firewall is no different than the firewall that sits between the Internet and your home network and typically is going to be a much better firewall as most off the shelf Internet gateway firewalls are not stateful packet inspection. What that means is that if you send data from a node on a network (PC) to another node on a network and with that protocol there is an expected response. Like when you send a ping request, there will be data come back. But you can also send ping replys to a node (part of a DDOS attack) without the request being send by that node first. Stateful Inspection will know that no ping request was sent from that node and will drop the reply packets to that node because it's in the wrong state. Good firewalls will do this. Low tier stuff, not so much. But the firewall with a default config will allow NO traffic to flow in ANY direction to or from the VM containers behind it. So if you are wanting to run an FTP server. You can open the port specifically for FTP (20 and 21) and attempt to FTP to the box (remember to have an ftp server running on that server) it will allow you to connect, but if you ping it, attempt to map drives to it, SSH to it, or anything besides FTP the firewall will just drop the packets and the server will never even see the traffic. Knowing how all this works can come in handy if you are working on a network and having issues connecting. As you progress with your firewall configuration skills, you will find that you can limit access by IP subnet or even to a single IP address. Another thing that is possible is implementing Radius logins for the network. This will create a prompt for a username and password before you even get to access the server. Creating another layer of security.

The third thing with network security is monitoring. Monitoring or intrusion detection is where you create logs and alarms with the firewall and other software applications that look at the traffic, access requests and the sources of those requests. Situations like having someone from the outside world attempting to SSH into your servers that face out to the Internet that are not the normal users. For the home player, you would use the IP's for your phone, tablet and possibly the outgoing address for your place of business if you are trying to access it from there. QUICK NOTE.... for anyone that works for a company that has sensitive data like a bank. ALL your activities are LOGGED by your employer. Attempting to SSH from inside your company to your home network is a HUGE no no. You may well be fired for doing it so DON'T ever attempt it. If you are unsure, ask before playing with this sort of stuff from your office. For those of you that have your OWN business, it's your network,, but if you work for others, creating secure tunnels out to your home can get you sent packing. YOU have been warned. That being said. You can configure your Intrusion detection to ignore certain IP addresses and / or subnets but alert on all others, or specific others. All my Internet facing firewalls are configured to drop all traffic from Russia and China. You can look up the specific subnets for each country on the internet and put them in the Intrusion detection and firewall configurations to do this. It saves alot of CPU cycles on the border firewalls (Internet facing) by seeing the traffic and just dropping it. The intrusion detection system has them in case something passes through, but that is very seldom, and is typically because the firewall doesn't have the latest blocking subnet list in it and the intrusion detection does. Higher end firewalls will also have intrusion detection built in and will dump the logs to a server if you configure them to do so... for a home network, it's really pointless as no one is gonna care that some hacker in China was trying to access your Quake server. It's just not something the FBI computer crimes division is gonna get involved in.

Ahhh... someone who speaks my language.
 

MTS2000DES

Prolific Contributor
CS Forums $upporter
Joined
Mar 14, 2012
Messages
454
Cloud based core for Astro 25...it's what they're pushing. I fought the same battle when I implemented our current CAD in 2018. I replaced a 20 year old legacy system on a closed, isolated physical network. (InterACT for those who care). Aside from the fact that it was too small a scale system for an agency of our size, we had ZERO security threats or issues because it was isolated from the CEN, on it's own physical network, and the vendor (maintained by AT&T, formerly BellSouth) did a decent job of keeping it updated security patch wise.
I always slept easier at night knowing someone would physically have to breach security to get into our data room or dispatch center to plug in a CAT-5 to do anything stupid. Cloud based shit is an open invitation to some Russian shitwad to come in and take over.

NOT interested.