Your specialist subject? The bleedin' obvious... Feds warn of RDP woe

We'd assume sysadmins knew this, if SamSam wasn't still rampaging through networks


The FBI and the US Department of Homeland Security have added their voices to warnings of insecure deployments of Remote Desktop Protocol (RDP) services.

RDP servers can be left misconfigured, or poorly secured, allowing scumbags to waltz into networks and cause further damage. Compromised logins are so abundant they fetch a mere $10 a pop on dark web souks, all-too-many people hand over their logins to scammers, and vulnerable systems wind up with ransomware scrambling their files, as Hancock Health in Indiana discovered earlier this year.

Of the RDP-spread ransomware infections the FBI's advisory highlighted on Thursday, probably the one striking the most fear into sysadmin hearts was SamSam, a campaign that started in 2015 and has since then earned its operators an estimated US$5.9m in illicit gains.

SamSam rose to prominence following a Talos warning in 2016 and has plagued hospitals, schools, and US city administrations.

band_aid_648

Microsoft to lock out Windows RDP clients if they are not patched against hijack bug

READ MORE

The FBI/DHS public service announcement reiterates what sysadmins (and home users) should know, but all too often aren't acting on. Whether business or home, the statement said, you should “review and understand what remote accesses their networks allow and take steps to reduce the likelihood of compromise, which may include disabling RDP if it is not needed.”

The most common vulnerabilities, the agencies said, are weak passwords enabling brute-force or dictionary attacks; old versions using CredSSP encryption and therefore allowing man-in-the-middle attacks; unrestricted access to TCP port 3389 from anywhere in the world; and allowing unlimited login attempts to RDP accounts.

The agencies' advice is mundane, but worth reiterating: audit your use of RDP and disable it if you can (especially on critical devices), install all available patches, use strong and secret login credentials, and block TCP port 3389 from cloud VM instances and any IP address ranges you never use.

So, essentially, firewall RDP, use a VPN for access, enforce strong passwords and lockout policies, use multi-factor authentication, keep RDP access logs for 90 days and actually look at them for intrusion attempts, and make sure any contractors with RDP access stick to your policies. ®

Similar topics


Other stories you might like

  • Venezuelan cardiologist charged with 'designing and selling ransomware'
    If his surgery was as bad as his opsec, this chap has caused a lot of trouble, allegedly

    The US Attorney’s Office has charged a 55-year-old cardiologist with creating and selling ransomware and profiting from revenue-share agreements with criminals who deployed his product.

    A complaint [PDF] filed on May 16th in the US District Court, Eastern District of New York, alleges Moises Luis Zagala Gonzalez – aka “Nosophoros,” “Aesculapius” and “Nebuchadnezzar” – created a ransomware builder known as “Thanos”, and ransomware named “Jigsaw v. 2”.

    The self-taught coder and qualified cardiologist advertised the ransomware in dark corners of the web, then licensed it ransomware to crooks for either $500 or $800 a month, it is claimed. He also ran an affiliate network that offered the chance to run Thanos to build custom ransomware, in return for a share of profits, it is alleged.

    Continue reading
  • US offers $15m reward for information about Conti ransomware gang
    The State Department notice comes in wake of the cybercrims’ attack on Costa Rican government

    The US government is offering up to $15 million for information about key leaders of the notorious Conti ransomware group and any individual participating in an attack using a variant of Conti's malware.

    In its notice issued May 6, the US Department of State said the Conti ransomware variant was the costliest strain of ransomware on record, noting that as of January, there were more than 1,000 victims of attack that involved Conti ransomware, with payouts surpassing $150 million.

    The State Department also noted an attack on the government of Costa Rica in April that disrupted its customs and tax platforms, hurting foreign trade.

    Continue reading
  • FBI: Cyber-scams cost victims $6.9b-plus worldwide in 2021
    Another banner year for criminals. For everyone else, not so much

    Cyber-scams cost victims around the globe at least $6.9 billion last year, according to the FBI's latest Internet Crime Report.

    Since 2017, the bureau's Internet Crime Complaint Center (IC3) received an average of 552,000 complaints per year. This includes reports of extortion, identity theft, phishing, fraud, and a slew of other nefarious schemes that cost victims no less than $18.7 billion in losses over the five-year period. 

    Unsurprisingly, the volume of these crimes — and related costs — have grown every year; 2021 set records [PDF] for the total number of complaints (847,376) as well as losses exceeding $6.9 billion, a jump from the $4.2 billion reported a year earlier.

    Continue reading
  • Cybercriminals do their homework for latest banking scam
    What could be safer than sending money to yourself through your own bank?

    A new social engineering scam is making the rounds, and this one is particularly insidious: It tricks users into sending money to what they think is their own account to reverse a fraudulent charge. 

    The FBI's Internet Crime Complaint Center issued the warning, which it said involves cybercriminals who have definitely done their homework. "In addition to knowing the victim's financial institution, the actors often had further information such as the victim's past addresses, social security number, and the last four digits of their bank accounts," the IC3 said. 

    The con starts off as many that target individuals do nowadays: With a text message. In this case it's not a phishing attempt, it's an attempt to ascertain whether the person receiving the message is susceptible to further manipulation. Posing as the target's bank, the message asks whether a large charge ($5,000 in the example the FBI gives) was legitimate and asks for a reply of YES or NO. Replying no leads to a follow-up text: "Our fraud specialist will be contacting you shortly. 

    Continue reading

Biting the hand that feeds IT © 1998–2022