Over the last six months, brute force attacks on Remote Desktop Protocols have become a common headline. This is one of the primary methods by which user access servers for Centricity Hosting or Allscripts Hosting. Consider the cases of LabCorp, the city of Atlanta, multiple health systems, Colorado Department of Transportation and others.
Most recently, in fact, Cass Regional Medical Center’s EHR went down for a week after a brute force attack on its RDP. The recent attack on LabCorp was reportedly caused by an RDP attack using the notorious SamSam ransomware.
While officials have yet to confirm the cause of the system outage, RDP attacks are a common method for the SamSam virus. And just this year, SamSam took down Allscripts for a week, again, officials did not confirm the hacker’s entry point.
While it seems RDP attacks are gaining traction, primarily more and more practices are moving to a Centricity Hosting or Allscripts Hosting model, the threat is far from new. Researchers have been warning organizations of this threat for a number of years. Hackers simply scan for open RDPs using an engine like Shodan.io. Combined with credentials, the flaw can be absolutely disastrous.
What’s worse is that a recent report from McAfee found that RDP backdoors are being sold on the dark web for just $10. That’s it. And according to John Fokker, McAfee’s head of cyber investigations and advanced threat research, thousands of new RDP access points are being put up for sale on a daily basis.
Those ports are predominately from computer systems, but Fokker found about 100 machines based on a Windows-embedded machine and others were from Point of Sale systems — commonly used in cafeterias. Hackers can leverage this port to move laterally across the network.
Organizations may not be aware of the flaw on their systems, and it’s often left open due to simple mistakes or misconfigurations, explained Fokker. “But it can have quite severe consequences.”
In fact, on dark web forums and marketplaces, the cybercriminals offer potential buyers the option to check the validity of the RDP sale items for just 30 cents. Fokker explained that in his research, the Shodan.io search results are “quite frightening” — and includes complete log-in screens.
While hackers can leverage this vulnerability to launch ransomware attacks, hackers can exploit RDP for a number of other reasons — including access to sensitive data, extortion, crytpomining, spam and account abuse.
In fact, hackers can use the access point and throw false flags to misdirect security researchers and investigators with false debugging flags and changing compiler environment traces. Which means that organizations are doing themselves a huge disservice by not shoring up this threat.
Take control of your RDP
Since RDP is a common function used to allow remote access into Centricity Hosting or Allscripts Hosting services, often by third-party vendors and the like. The function is commonly installed standard with Windows, and once a party logs in, that computer can be used or controlled remotely by a legitimate party — or a hacker.
It’s a powerful administrative tool, but Fokker explained that it can have severe consequences in the wrong hands. With just a $10 entry fee, hackers can leverage SamSam to ask victim organizations for $40,000 in ransom — “not a bad return on investment.”
So how can an organization remain in control?
First, organizations need to make sure those endpoints are secure, as well. Health 1 using a combination of geo-fencing and RDP bad login IP lockout tools to increase the level of security. Next, organizations need to check both who has access and whether it’s needed, as “less is more.”
Another known issue with RDP is passwords. Often, these are left as standard or easy to guess passwords, which is why hackers are able to so easily gain access. If you do have RDP enabled, make sure that people are using unique and difficult to guess (complex) passwords and ensure that these passwords are changed at regular intervals.
Below is a RDP checklist for organizations using Centricity Hosting or Allscripts Hosting to shore up this threat:
- Implement and properly configure your IDS (e.g., detection of RDP brute force attacks).
- Implement multi-factor authentication for RDP logins.
- Regularly audit and analyze logs.
- Properly configure your firewall. Keep your firewall rules up to date.
- Regularly audit user and admin accounts. Are there any new accounts you don’t recognize? Are there accounts with excessive privileges? Adhere to the principle of least privilege.
- As always, conduct a regular risk assessment and practice defense-in-depth.
Regular pen-testing is also a must, she explained, “not just evaluated for how ‘good’ the controls are, but to see whether an attacker could get into your system and how far they can get in (and how long they can go undetected).”
And organizations need year-round coverage, especially on systems that need to be fully-function on a daily basis. Attackers are smart. When you are least expecting it or when you may be understaffed (such as a holiday or weekend), the attackers may proceed with their reconnaissance and all else.