Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Security Alert = PuTTY Process + Plain Text Password
#1
Exclamation 
We’ve been very satisfied users of Remote Desktop for several years (thank you for producing it!) and that’s one of the reasons why I was very surprised to receive a high priority alert from our Security Department. We are a financial institution subject to several regulations and have a very hardened environment. Our workstations are Windows 10 Version 1809 and we use CrowdStrike Falcon Version 5.24

A sample of one of the multiple alerts received was basically as follows:
Description: This file meets the Behavioral Analysis ML algorithm's medium-confidence threshold for malware. It might be malicious and/or part of an adversary's toolkit. Review the file.
Host name: {MyWorkstationName}
File name: putty.exe
File path: \Device\HarddiskVolume4\Program Files (x86)\ASG-Remote Desktop 2020\putty.exe
Command line: "C:\Program Files (x86)\ASG-Remote Desktop 2020\putty.exe"  -load "" -ssh -l "DOMAIN\MyAdminUserName" -P 22 -pw "<redacted>" "ServerName"
SHA 256: {Data}
MD5 Hash data: {Data}
Full detection details: https://falcon.crowdstrike.com/activity/...tail/{Data}
Platform: Windows
IP address: {ExternalIPAdress}
User name: DOMAIN\MyUserName
Detected: {TimeStamp}
Last behavior: {TimeStamp}

Security Department message to me was:
The CrowdStrike alerts that are being generated show that your ADM password is on the command line of the putty command being executed. You may have saved this to a configuration file.  Please take steps to keep this password from being put on the command line, and then change your ADM password immediately.  If you need to automate your authentication, please consider using public key authentication.  Please reply when you’ve removed the password from the command line and changed your password.
Also, please work with the CrowdStrike Team to whitelist this command execution as soon as possible, as this is creating a lot of alerts.

Their comments were:
The password is in the command line. They should change to cert based auth.
3.7.3.8 -pw: specify a password
A simple way to automate a remote login is to supply your password on the command line. This is not recommended for reasons of security. If you possibly can, we recommend you set up public-key authentication instead. See chapter 8 for details.

It is confusing for us to understand why suddenly these alerts were generated as I’ve been using ASG-Remote Desktop in the same way for years every day. And this last Thursday, CrowdStrike started alerting about PuTTY being invoked by ASG whether it contains a password or not.

I guess CrowdStrike is detecting a two-fold suspicious activity event. Their Machine Learning algorithm seems to consider ASG invoking PuTTY a risk on itself with or without a password; and then the fact that it sends parameters in clear text including a password just makes the event appear to be a compromised password situation.

In my opinion, ASG is protecting the password and hopefully somehow encrypting it so that even though the command is sent via clear text, there is not exposure of the password itself. However, I know that our Security Department will definitely want to know more on how this encryption/decryption process over clear text works before allowing us to continue using ASG and it is quite a valuable tool for my Team.

Is there a way for ASG to provide some information for them to be comfortable regarding these events? They also have a ticket open with CrowdStrike, so any information you could provide at your earliest convenience will be greatly appreciated.
Reply
#2
Hi,

PuTTY in ASGRD is a customized version - because we do not send the password in clear text :-) Of course it send via command line and in standard PuTTY it would be clear text - but ASGRD ecrypt the password before sending and decrypt in customized PuTTY!
Regards/Gruss
Oliver
Reply




Users browsing this thread: 1 Guest(s)