Alert: Ransomware Can Slither in If Your Passwords Are Weak

Ransomware and Weak Passwords

Email is a very effective way of distributing all sorts of malware, and there are a few very good reasons for this. First of all, everybody has an email account. Although we have other means of communication, we still use our inboxes, and we tend to receive quite a lot of important information in them. Hackers also love distributing their malware through emails because doing it requires little to no technical skills. Even if you don't know how to create a spam botnet, you can always "rent" one.

Last but not least, emails are a solid infection vector because we humans are curious creatures, and even though most of us are not willing to admit it, it's not that hard to trick us into opening a file, enabling macros on a Word document, or clicking a link. All in all, spamming users with unsolicited emails is arguably one of the easiest ways of infecting them with malware. It's not the only one, though.

What is RDP?

RDP stands for Remote Desktop Protocol, and hackers, especially ransomware operators, love to abuse it in order to deploy their malicious software. Crooks that go after businesses nurse a particularly strong fondness for it because it's often used in the corporate environment.

Introduced a while ago, RDP does exactly what it says on the box – it lets you control a computer or server remotely. The protocol was developed by Microsoft, and modern Windows systems come with a built-in client. The thing system administrators love the most about RDP, however, is that tools are available for other platforms as well. It can be extremely useful, especially when sysadmins need to take care of equipment that is spread around several different locations.

How do hackers abuse RDP?

As you can see, RDP is a fairly old piece of technology, and over the years, specialists have found a number of security flaws that could let an unauthorized user control a computer remotely. Of course, software vendors usually release patches for the security holes quickly, but the problem with patches is that releasing them isn't enough. They need to be applied if they are to do anything. And unfortunately, some sysadmins realize how true this statement is when it's too late.

Known RDP vulnerabilities can help malware operators deploy their payload inside the network of an organization. Often, however, taking advantage of security flaws could mean a lot of hard work, and hackers, as we all know, don't like hard work. That's why they often prefer to use an easier way of infiltrating a corporate network via RDP.

RDP, like many other protocols that allow remote administration, can be protected by a username and a password. Unfortunately, some organizations are unaware of this and are inadvertently exposing themselves to cybercriminals. If RDP isn't protected by a password, remotely logging into a computer is as easy as finding the right IP and hitting Enter.

Of course, many system administrators know that RDP can be placed behind a password, but unfortunately, some of them underestimate its importance and use something weak and easy-to-guess, making the crooks' lives quite a bit easier. RDP does provide an option for a lockout mechanism which wouldn't allow a large number of unsuccessful login attempts in quick succession, but unfortunately, it would appear that not that many sysadmins have enabled it. As a result, RDP login credentials can be the perfect target for a brute-force attack.

It's not just a theory, either. In July, LabCorp suffered a cyberattack. At first, people were concerned that patients' sensitive data had been put at risk, but it later turned out that it was a ransomware outbreak. The crooks managed to infect a whopping 7 thousand systems as well as 1,900 servers, and they did it after successfully brute-forcing the medical company's RDP login credentials.

Attacks on RDP are so frequent that in September, the FBI's Internet Crime Complaint Center (IC3) issued a warning to small and medium-sized businesses about the potential consequences of running a poorly protected RDP.

What can sysadmins do to avoid the threat?

If you're a system administrator, you should start appreciating the importance of RDP. If the organization you work for doesn't need the protocol, it's best to disable it. If it does, make sure it's not easily accessible.

Ensure that all software programs your team uses are updated and patched properly. Review the accounts that have RDP access and disable it for the ones that don't need it. Set strong, unique passwords on each and every one of them and do some research on additional tools that can provide you with useful security features like two-factor authentication. Enable Network Level Authentication (NLA) for additional protection of RDP sessions, and if possible, limit access to specific IPs. Change the default RDP port (3389) to ensure that automated scanners will have a harder time detecting your network. Last but by no means least, back up your important information. A fresh, working backup is the best solution not only in case of a ransomware infection, but for a host of other problems as well.

Securing the entire network of an organization is a long, complicated process, and properly configuring RDP is just one of the steps. Considering how many problems can be associated with this particular protocol, however, it may very well be one of the most important ones.

January 8, 2019