Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:30 PM
Connect Directly
E-Mail vvv

'Backoff' Malware: Time To Step Up Remote Access Security

DHS issues advisory about remote desktop access tools associated with recent point-of-sale breaches.

Another day, another security breach. Today, it’s a number of breaches that may or may not tie together, but all seem to have one thing in common: poor remote access security.

Most notably, the US Department of Homeland Security has issued an advisory regarding the "Backoff" point-of-sale malware, which has been associated with several PoS data breach investigations. The advisory states:

Recent investigations revealed that malicious actors are using publicly available tools to locate businesses that use remote desktop applications. Remote desktop solutions like Microsoft's Remote Desktop, Apple Remote Desktop, Chrome Remote Desktop, Splashtop 2, Pulseway, and LogMEIn Join.Me offer the convenience and efficiency of connecting to a computer from a remote location. Once these applications are located, the suspects attempted to brute force the login feature of the remote desktop solution. After gaining access to what was often administrator or privileged access accounts, the suspects were then able to deploy the point-of-sale (PoS) malware and subsequently exfiltrate consumer payment data via an encrypted POST request...

Similar attacks have been noted in previous PoS malware campaigns and some studies state that targeting the Remote Desktop Protocol with brute force attacks is on the rise.

Apart from this advisory, the Delaware Restaurant Association notified its 1,900 member restaurants about a possible breach of consumer payment card data, which the association says “appears to be linked to LogMeIn, a remote access and systems management provider that facilitates, among other things, file sharing and data backup.” And Krebs on Security is reporting that the Jimmy John’s sandwich chain is investigating breach claims.

While some of these remote desktop access connections exist for employees to access their work computers from home, others are set up so IT administrators, outsourcers, and vendors can remotely manage and support desktops and other systems. It’s especially critical that these connections are secure as they typically include admin-level permissions that hackers can exploit.

But even if an end-user is simply using a tool like RDP to access a single desktop, his or her credentials can be used to install malware on that system. Once that individual PC is compromised, hackers can use it as a launching point to seek access to more critical systems.

In its advisory, the Department of Homeland Security provides a number of guidelines for improving remote access security, including:

  • Configure the account lockout settings to lock a user account after a period of time or a specified number of failed login attempts. This prevents unlimited, unauthorized attempts to login whether from an unauthorized user or via automated attack types like brute force.
  • Limit the number of users and workstations that can log in using Remote Desktop.
  • Use firewalls (both software and hardware where available) to restrict access to remote desktop listening ports (default is TCP 3389).
  • Change the default remote desktop listening port.
  • Define complex password parameters. Configuring an expiration time and password length and complexity can decrease the amount of time in which a successful attack can occur.
  • Require two-factor authentication (2FA) for remote desktop access.
  • Install a remote desktop gateway to restrict access.
  • Add an extra layer of authentication and encryption by tunneling your remote desktop through IPsec, SSH, or SSL.
  • Require 2FA when accessing payment processing networks. Even if a virtual private network is used, it is important that 2FA is implemented to help mitigate keylogger or credential dumping attacks.
  • Limit administrative privileges for users and applications.
  • Periodically review systems (local and domain controllers) for unknown and dormant users.

For those using remote access for technical support, you can take security even further with a few additional recommendations:

  • Consolidate remote access tools so you can centrally manage and monitor all insider and external remote access.
  • Once you implement a central remote access solution, there is no longer a need for open listening ports, such as TCP 3389. Instead of only restricting access, as Homeland Security suggests, you can block broad access to 3389 and completely shut that door for hackers.
  • Two-factor authentication is a must. But beyond that, ensure that each individual is using unique login credentials. Often IT teams or vendors share logins to save money on licenses, but this undermines 2FA and makes it impossible to audit who is doing what on your systems.
  • In addition to limiting admin privileges for users and applications, consider restricting when and from where users can remotely access your systems. For example, an IT outsourcer can access your systems from his computer on his company network, but not from his iPad at home.
  • Reviewing your systems for unknown and dormant users is good, but even better is to set up alerts for unexpected activity, such as a vendor logging in overnight or on a weekend. By capturing a full audit trail of all remote access activity, you can set up a warning system to alert you to unauthorized access before the damage is done.

Security has many layers, and no one solution is going to fully protect you from a data breach. But if you can lock down the initial entry pathway just a bit more, you can significantly up your chances of keeping hackers out and your sensitive data in.

Boatner Blankenstein is Senior Director of Solutions Engineering for Bomgar, a remote IT support provider for enterprises. View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
10/20/2016 | 2:45:24 AM
Remote access
Security breach during remote access occurs because of easily hackable remote support tools. However, there are tools like on premise R-HUB remote support servers who provide better security as compared to hosted services and cannot be hacked easily as they work from behind the firewall.
User Rank: Ninja
8/10/2014 | 10:35:13 AM
Re: Posture assessment is a must
I agree. Hackers are going to find ways to circumvent security, so it would be foolish for someone to contractual agree that if there is a breach they will be fired. But if you look at Target, this is kind of what happens anyway. If the higher ups feel you didn't do enough, or there is a need for the company to publicly save face, that executive is going to get the ax most likely.

Robert McDougal
Robert McDougal,
User Rank: Ninja
8/10/2014 | 9:01:54 AM
Re: Posture assessment is a must
I couldn't agree more!  Executives need to feel the heat and until then nothing will change.

The Target breach got some attention since it was the first time an executive felt the heat but, once is not enough.
User Rank: Ninja
8/4/2014 | 2:42:02 PM
Re: Posture assessment is a must
That is a smart idea but no Executive tie his/her own salary to the breaches that their company faces. They know they do not have control over security.
User Rank: Ninja
8/4/2014 | 2:40:15 PM
Re: Way past time, actually

I basically agree with bot points, I would think we should not assume any OS is secure. We have been experiencing breaches in all OS available today, some more secure than others but no one is exceptional. 
User Rank: Ninja
8/4/2014 | 2:37:18 PM
Thanks for sharing this article. Quite informative. I was thinking, Department of Homeland Security guideline is something we should be folllowing by default, however, black hats still find a way to compromise remote desktop functionalities. Better approach is always limit the number of remote administrative connections and constantly changing authentication method and monitoring authorization.
User Rank: Ninja
8/3/2014 | 9:13:39 AM
Way past time, actually
1. use a secure o/s,-- one which does not allow itself or its apps to be modified without authentication.

2. insist on authentication for all software installs and updates as well as for transactions and e/mail

the internet evolved from a small, close knit family of technicians into a world-wide phenomenon.   during the evolution we havn't given security the attention we need in order to use this huge network for business purposes.

the tools exist.   all applications don't need to migrate onto more secure platforms. weaker platforms can be isolated behind firewalls and intranets.  
Thomas Claburn
Thomas Claburn,
User Rank: Ninja
8/1/2014 | 6:29:00 PM
Re: Posture assessment is a must

How about tying executive pay to lack of security problems? Then you'd get your funding.
User Rank: Ninja
8/1/2014 | 4:01:52 PM
Account Lockout fail
The Department of Homeland Security fails to mention that creating an Acount Lockout GPO in Windows does affect the Administrator account.
User Rank: Apprentice
8/1/2014 | 3:15:23 PM
Posture assessment is a must
Relying on a generic remote access method is not gonna cut it.  Your connection must be encrypted, but the problem is when an infected machine connects via a VPN, it's tough to monitor encrypted traffic.  SSL VPN's have a posture assessment tool native that can do things like check the AV is up to date.  Now you need more, make sure anti phising is installed, firewall config is accurate, OS is up to date.  There are tools to increase secure remote access like GEARS and more.  IT JUST NEED MORE FUNDING!


-Disgrunted sys admin
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-15
A XSS Vulnerability in /uploads/dede/action_search.php in DedeCMS V5.7 SP2 allows an authenticated user to execute remote arbitrary code via the keyword parameter.
PUBLISHED: 2021-05-15
DedeCMS V5.7 SP2 contains a CSRF vulnerability that allows a remote attacker to send a malicious request to to the web manager allowing remote code execution.
PUBLISHED: 2021-05-14
The Linux kernel before 5.11.14 has a use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c because the CIPSO and CALIPSO refcounting for the DOI definitions is mishandled, aka CID-ad5d07f4a9cd. This leads to writing an arbitrary value.
PUBLISHED: 2021-05-14
In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value.
PUBLISHED: 2021-05-14
The block subsystem in the Linux kernel before 5.2 has a use-after-free that can lead to arbitrary code execution in the kernel context and privilege escalation, aka CID-c3e2219216c9. This is related to blk_mq_free_rqs and blk_cleanup_queue.