Recently, three healthcare organizations’ Microsoft Access databases were compromised by a hacker that leveraged a vulnerability in how they implemented their remote desktop protocol (RDP) functionality, reported Threatpost.
The hacker is holding some clinical sensitive identification and medical data for ransom, while hundreds of thousands of other records are up for sale on the dark web. After the hacker offered to tell companies how he accessed their information for a fee and was rebuffed, the hacker released the records in an underground marketplace.
Developed by Microsoft, the use of an RDP client allows a user to remotely connect with another computer running RDP server software over a network connection. This is a way for users to connect to work computers from home, as well as access their work computer’s programs, files and network resources to do work remotely. It’s also useful to enable tech support to access workstations.
RDP Brute-Force Attacks & RDP Credentials for Sale
Unfortunately, it can also be exploited by malicious hackers seeking to access sensitive data. Companies will often leave RDP client ports open to the Internet, and, knowing this, attackers will scan blocks of IP addresses for open RDP ports and attempt to brute-force the remote desktop login password.
After these attacks, hackers will sell credentials in a now-defunct xDedic marketplace that offered as many as 250,000 RDP server credentials for sale that gives a buyer access to all of the data on the server and the possibility to launch future attacks using the server, according to Kaspersky Lab. Features of the compromised servers were listed in the marketplace, including RDP configuration, memory, software, browsing history and more.
Their blog has a very detailed analysis of the global breakdown of servers, type of data on the servers, how the marketplace works, etc. According to their analysis, the type of software found on these servers are primarily point-of-sale (POS), gambling and financial software (accounting and tax reporting) and spam and attacking tools.
Protecting Against RDP Compromise Risk
As the security team at Berkeley writes:
While Remote Desktop is more secure than remote administration tools such as VNC that do not encrypt the entire session, any time Administrator access to a system is granted remotely there are risks.
You can do your best to mitigate the risks, though, and here are some ways how:
- Scan publicly listed IPs for any open RDP or SSH ports, and block them.
- Monitor and analyze logs to identify any unusual user behavior on your network.
- Deploy an endpoint solution that can give you actionable data about the devices authenticating into your environment - which can tell you where users are coming from, when, and with what IP address.
- Implement two-factor authentication on all account logins, including privileged and administrative, which can deter criminals from successful remote brute-force attacks.
- Don’t share or reuse passwords; this can stop the spread of compromise if one server is breached with stolen administrator/root account credentials.
- Create custom policies and controls that dictate which applications can be accessed remotely, and by whom.
- Limit the number of administrator RDP accounts, or remove them completely if not needed.
- Set an account lockout policy that locks accounts after a certain number of incorrect guesses, to prevent the success of brute-force attacks.
Learn more about how to protect remote access to your computer and RDP logins. Or, download our free guide, The Essential Guide to Securing Remote Access: Preventing Data Breaches With Strong Authentication.
- VPN (Virtual Private Network) and cloud security concerns
- How to meet compliance regulations and secure remote access
- How two-factor authentication can help mitigate risk and avoid an expensive data breach
Ideal for security, compliance and risk management officers, IT administrators and other professionals concerned with information security, this guide is for any organization that allows remote access to their environment.