Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:30 PM
Connect Directly
E-Mail vvv

'Backoff' Malware: Time To Step Up Remote Access Security

DHS issues advisory about remote desktop access tools associated with recent point-of-sale breaches.

Another day, another security breach. Today, it’s a number of breaches that may or may not tie together, but all seem to have one thing in common: poor remote access security.

Most notably, the US Department of Homeland Security has issued an advisory regarding the "Backoff" point-of-sale malware, which has been associated with several PoS data breach investigations. The advisory states:

Recent investigations revealed that malicious actors are using publicly available tools to locate businesses that use remote desktop applications. Remote desktop solutions like Microsoft's Remote Desktop, Apple Remote Desktop, Chrome Remote Desktop, Splashtop 2, Pulseway, and LogMEIn Join.Me offer the convenience and efficiency of connecting to a computer from a remote location. Once these applications are located, the suspects attempted to brute force the login feature of the remote desktop solution. After gaining access to what was often administrator or privileged access accounts, the suspects were then able to deploy the point-of-sale (PoS) malware and subsequently exfiltrate consumer payment data via an encrypted POST request...

Similar attacks have been noted in previous PoS malware campaigns and some studies state that targeting the Remote Desktop Protocol with brute force attacks is on the rise.

Apart from this advisory, the Delaware Restaurant Association notified its 1,900 member restaurants about a possible breach of consumer payment card data, which the association says “appears to be linked to LogMeIn, a remote access and systems management provider that facilitates, among other things, file sharing and data backup.” And Krebs on Security is reporting that the Jimmy John’s sandwich chain is investigating breach claims.

While some of these remote desktop access connections exist for employees to access their work computers from home, others are set up so IT administrators, outsourcers, and vendors can remotely manage and support desktops and other systems. It’s especially critical that these connections are secure as they typically include admin-level permissions that hackers can exploit.

But even if an end-user is simply using a tool like RDP to access a single desktop, his or her credentials can be used to install malware on that system. Once that individual PC is compromised, hackers can use it as a launching point to seek access to more critical systems.

In its advisory, the Department of Homeland Security provides a number of guidelines for improving remote access security, including:

  • Configure the account lockout settings to lock a user account after a period of time or a specified number of failed login attempts. This prevents unlimited, unauthorized attempts to login whether from an unauthorized user or via automated attack types like brute force.
  • Limit the number of users and workstations that can log in using Remote Desktop.
  • Use firewalls (both software and hardware where available) to restrict access to remote desktop listening ports (default is TCP 3389).
  • Change the default remote desktop listening port.
  • Define complex password parameters. Configuring an expiration time and password length and complexity can decrease the amount of time in which a successful attack can occur.
  • Require two-factor authentication (2FA) for remote desktop access.
  • Install a remote desktop gateway to restrict access.
  • Add an extra layer of authentication and encryption by tunneling your remote desktop through IPsec, SSH, or SSL.
  • Require 2FA when accessing payment processing networks. Even if a virtual private network is used, it is important that 2FA is implemented to help mitigate keylogger or credential dumping attacks.
  • Limit administrative privileges for users and applications.
  • Periodically review systems (local and domain controllers) for unknown and dormant users.

For those using remote access for technical support, you can take security even further with a few additional recommendations:

  • Consolidate remote access tools so you can centrally manage and monitor all insider and external remote access.
  • Once you implement a central remote access solution, there is no longer a need for open listening ports, such as TCP 3389. Instead of only restricting access, as Homeland Security suggests, you can block broad access to 3389 and completely shut that door for hackers.
  • Two-factor authentication is a must. But beyond that, ensure that each individual is using unique login credentials. Often IT teams or vendors share logins to save money on licenses, but this undermines 2FA and makes it impossible to audit who is doing what on your systems.
  • In addition to limiting admin privileges for users and applications, consider restricting when and from where users can remotely access your systems. For example, an IT outsourcer can access your systems from his computer on his company network, but not from his iPad at home.
  • Reviewing your systems for unknown and dormant users is good, but even better is to set up alerts for unexpected activity, such as a vendor logging in overnight or on a weekend. By capturing a full audit trail of all remote access activity, you can set up a warning system to alert you to unauthorized access before the damage is done.

Security has many layers, and no one solution is going to fully protect you from a data breach. But if you can lock down the initial entry pathway just a bit more, you can significantly up your chances of keeping hackers out and your sensitive data in.

Boatner Blankenstein is Senior Director of Solutions Engineering for Bomgar, a remote IT support provider for enterprises. View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
10/20/2016 | 2:45:24 AM
Remote access
Security breach during remote access occurs because of easily hackable remote support tools. However, there are tools like on premise R-HUB remote support servers who provide better security as compared to hosted services and cannot be hacked easily as they work from behind the firewall.
User Rank: Ninja
8/10/2014 | 10:35:13 AM
Re: Posture assessment is a must
I agree. Hackers are going to find ways to circumvent security, so it would be foolish for someone to contractual agree that if there is a breach they will be fired. But if you look at Target, this is kind of what happens anyway. If the higher ups feel you didn't do enough, or there is a need for the company to publicly save face, that executive is going to get the ax most likely.

Robert McDougal
Robert McDougal,
User Rank: Ninja
8/10/2014 | 9:01:54 AM
Re: Posture assessment is a must
I couldn't agree more!  Executives need to feel the heat and until then nothing will change.

The Target breach got some attention since it was the first time an executive felt the heat but, once is not enough.
User Rank: Ninja
8/4/2014 | 2:42:02 PM
Re: Posture assessment is a must
That is a smart idea but no Executive tie his/her own salary to the breaches that their company faces. They know they do not have control over security.
User Rank: Ninja
8/4/2014 | 2:40:15 PM
Re: Way past time, actually

I basically agree with bot points, I would think we should not assume any OS is secure. We have been experiencing breaches in all OS available today, some more secure than others but no one is exceptional. 
User Rank: Ninja
8/4/2014 | 2:37:18 PM
Thanks for sharing this article. Quite informative. I was thinking, Department of Homeland Security guideline is something we should be folllowing by default, however, black hats still find a way to compromise remote desktop functionalities. Better approach is always limit the number of remote administrative connections and constantly changing authentication method and monitoring authorization.
User Rank: Ninja
8/3/2014 | 9:13:39 AM
Way past time, actually
1. use a secure o/s,-- one which does not allow itself or its apps to be modified without authentication.

2. insist on authentication for all software installs and updates as well as for transactions and e/mail

the internet evolved from a small, close knit family of technicians into a world-wide phenomenon.   during the evolution we havn't given security the attention we need in order to use this huge network for business purposes.

the tools exist.   all applications don't need to migrate onto more secure platforms. weaker platforms can be isolated behind firewalls and intranets.  
Thomas Claburn
Thomas Claburn,
User Rank: Ninja
8/1/2014 | 6:29:00 PM
Re: Posture assessment is a must

How about tying executive pay to lack of security problems? Then you'd get your funding.
User Rank: Ninja
8/1/2014 | 4:01:52 PM
Account Lockout fail
The Department of Homeland Security fails to mention that creating an Acount Lockout GPO in Windows does affect the Administrator account.
User Rank: Apprentice
8/1/2014 | 3:15:23 PM
Posture assessment is a must
Relying on a generic remote access method is not gonna cut it.  Your connection must be encrypted, but the problem is when an infected machine connects via a VPN, it's tough to monitor encrypted traffic.  SSL VPN's have a posture assessment tool native that can do things like check the AV is up to date.  Now you need more, make sure anti phising is installed, firewall config is accurate, OS is up to date.  There are tools to increase secure remote access like GEARS and more.  IT JUST NEED MORE FUNDING!


-Disgrunted sys admin
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google's new See No Evil policy......
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 44741ff99f7a71df45420635b238b9c22093647a contains a buffer overflow which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS contains a buffer overflow in the set_range test in TestBitmap which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS in test-crypto.cpp contains a stack buffer overflow which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS before commit 3844e8569689dd476064a0759d704bc64fb3ca2c contains a directory traversal vulnerability in tar/unzip that may lead to command execution or privilege escalation.
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 85da504d2dc30188b89f44c3276fc5a25b31251f contains a buffer overflow which could allow attackers to obtain sensitive information.