Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

8/1/2014
02:30 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

'Backoff' Malware: Time To Step Up Remote Access Security

DHS issues advisory about remote desktop access tools associated with recent point-of-sale breaches.

Another day, another security breach. Today, it’s a number of breaches that may or may not tie together, but all seem to have one thing in common: poor remote access security.

Most notably, the US Department of Homeland Security has issued an advisory regarding the "Backoff" point-of-sale malware, which has been associated with several PoS data breach investigations. The advisory states:

Recent investigations revealed that malicious actors are using publicly available tools to locate businesses that use remote desktop applications. Remote desktop solutions like Microsoft's Remote Desktop, Apple Remote Desktop, Chrome Remote Desktop, Splashtop 2, Pulseway, and LogMEIn Join.Me offer the convenience and efficiency of connecting to a computer from a remote location. Once these applications are located, the suspects attempted to brute force the login feature of the remote desktop solution. After gaining access to what was often administrator or privileged access accounts, the suspects were then able to deploy the point-of-sale (PoS) malware and subsequently exfiltrate consumer payment data via an encrypted POST request...

Similar attacks have been noted in previous PoS malware campaigns and some studies state that targeting the Remote Desktop Protocol with brute force attacks is on the rise.

Apart from this advisory, the Delaware Restaurant Association notified its 1,900 member restaurants about a possible breach of consumer payment card data, which the association says “appears to be linked to LogMeIn, a remote access and systems management provider that facilitates, among other things, file sharing and data backup.” And Krebs on Security is reporting that the Jimmy John’s sandwich chain is investigating breach claims.

While some of these remote desktop access connections exist for employees to access their work computers from home, others are set up so IT administrators, outsourcers, and vendors can remotely manage and support desktops and other systems. It’s especially critical that these connections are secure as they typically include admin-level permissions that hackers can exploit.

But even if an end-user is simply using a tool like RDP to access a single desktop, his or her credentials can be used to install malware on that system. Once that individual PC is compromised, hackers can use it as a launching point to seek access to more critical systems.

In its advisory, the Department of Homeland Security provides a number of guidelines for improving remote access security, including:

  • Configure the account lockout settings to lock a user account after a period of time or a specified number of failed login attempts. This prevents unlimited, unauthorized attempts to login whether from an unauthorized user or via automated attack types like brute force.
  • Limit the number of users and workstations that can log in using Remote Desktop.
  • Use firewalls (both software and hardware where available) to restrict access to remote desktop listening ports (default is TCP 3389).
  • Change the default remote desktop listening port.
  • Define complex password parameters. Configuring an expiration time and password length and complexity can decrease the amount of time in which a successful attack can occur.
  • Require two-factor authentication (2FA) for remote desktop access.
  • Install a remote desktop gateway to restrict access.
  • Add an extra layer of authentication and encryption by tunneling your remote desktop through IPsec, SSH, or SSL.
  • Require 2FA when accessing payment processing networks. Even if a virtual private network is used, it is important that 2FA is implemented to help mitigate keylogger or credential dumping attacks.
  • Limit administrative privileges for users and applications.
  • Periodically review systems (local and domain controllers) for unknown and dormant users.

For those using remote access for technical support, you can take security even further with a few additional recommendations:

  • Consolidate remote access tools so you can centrally manage and monitor all insider and external remote access.
  • Once you implement a central remote access solution, there is no longer a need for open listening ports, such as TCP 3389. Instead of only restricting access, as Homeland Security suggests, you can block broad access to 3389 and completely shut that door for hackers.
  • Two-factor authentication is a must. But beyond that, ensure that each individual is using unique login credentials. Often IT teams or vendors share logins to save money on licenses, but this undermines 2FA and makes it impossible to audit who is doing what on your systems.
  • In addition to limiting admin privileges for users and applications, consider restricting when and from where users can remotely access your systems. For example, an IT outsourcer can access your systems from his computer on his company network, but not from his iPad at home.
  • Reviewing your systems for unknown and dormant users is good, but even better is to set up alerts for unexpected activity, such as a vendor logging in overnight or on a weekend. By capturing a full audit trail of all remote access activity, you can set up a warning system to alert you to unauthorized access before the damage is done.

Security has many layers, and no one solution is going to fully protect you from a data breach. But if you can lock down the initial entry pathway just a bit more, you can significantly up your chances of keeping hackers out and your sensitive data in.

Boatner Blankenstein is Senior Director of Solutions Engineering for Bomgar, a remote IT support provider for enterprises. View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
JulietB730
50%
50%
JulietB730,
User Rank: Apprentice
10/20/2016 | 2:45:24 AM
Remote access
Security breach during remote access occurs because of easily hackable remote support tools. However, there are tools like on premise R-HUB remote support servers who provide better security as compared to hosted services and cannot be hacked easily as they work from behind the firewall.
Bprince
50%
50%
Bprince,
User Rank: Ninja
8/10/2014 | 10:35:13 AM
Re: Posture assessment is a must
I agree. Hackers are going to find ways to circumvent security, so it would be foolish for someone to contractual agree that if there is a breach they will be fired. But if you look at Target, this is kind of what happens anyway. If the higher ups feel you didn't do enough, or there is a need for the company to publicly save face, that executive is going to get the ax most likely.

BP
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
8/10/2014 | 9:01:54 AM
Re: Posture assessment is a must
I couldn't agree more!  Executives need to feel the heat and until then nothing will change.

The Target breach got some attention since it was the first time an executive felt the heat but, once is not enough.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
8/4/2014 | 2:42:02 PM
Re: Posture assessment is a must
That is a smart idea but no Executive tie his/her own salary to the breaches that their company faces. They know they do not have control over security.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
8/4/2014 | 2:40:15 PM
Re: Way past time, actually
 

I basically agree with bot points, I would think we should not assume any OS is secure. We have been experiencing breaches in all OS available today, some more secure than others but no one is exceptional. 
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
8/4/2014 | 2:37:18 PM
Guidelines
Thanks for sharing this article. Quite informative. I was thinking, Department of Homeland Security guideline is something we should be folllowing by default, however, black hats still find a way to compromise remote desktop functionalities. Better approach is always limit the number of remote administrative connections and constantly changing authentication method and monitoring authorization.
macker490
50%
50%
macker490,
User Rank: Ninja
8/3/2014 | 9:13:39 AM
Way past time, actually
1. use a secure o/s,-- one which does not allow itself or its apps to be modified without authentication.

2. insist on authentication for all software installs and updates as well as for transactions and e/mail

the internet evolved from a small, close knit family of technicians into a world-wide phenomenon.   during the evolution we havn't given security the attention we need in order to use this huge network for business purposes.

the tools exist.   all applications don't need to migrate onto more secure platforms. weaker platforms can be isolated behind firewalls and intranets.  
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Ninja
8/1/2014 | 6:29:00 PM
Re: Posture assessment is a must
> IT JUST NEED MORE FUNDING!

How about tying executive pay to lack of security problems? Then you'd get your funding.
theb0x
50%
50%
theb0x,
User Rank: Ninja
8/1/2014 | 4:01:52 PM
Account Lockout fail
The Department of Homeland Security fails to mention that creating an Acount Lockout GPO in Windows does affect the Administrator account.
anon5710889055
50%
50%
anon5710889055,
User Rank: Apprentice
8/1/2014 | 3:15:23 PM
Posture assessment is a must
Relying on a generic remote access method is not gonna cut it.  Your connection must be encrypted, but the problem is when an infected machine connects via a VPN, it's tough to monitor encrypted traffic.  SSL VPN's have a posture assessment tool native that can do things like check the AV is up to date.  Now you need more, make sure anti phising is installed, firewall config is accurate, OS is up to date.  There are tools to increase secure remote access like GEARS and more.  IT JUST NEED MORE FUNDING!

 

-Disgrunted sys admin
7 Truths About BEC Scams
Ericka Chickowski, Contributing Writer,  6/13/2019
DNS Firewalls Could Prevent Billions in Losses to Cybercrime
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2019
Cognitive Bias Can Hamper Security Decisions
Kelly Sheridan, Staff Editor, Dark Reading,  6/10/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12855
PUBLISHED: 2019-06-16
In words.protocols.jabber.xmlstream in Twisted through 19.2.1, XMPP support did not verify certificates when used with TLS, allowing an attacker to MITM connections.
CVE-2013-7472
PUBLISHED: 2019-06-15
The "Count per Day" plugin before 3.2.6 for WordPress allows XSS via the wp-admin/?page=cpd_metaboxes daytoshow parameter.
CVE-2019-12839
PUBLISHED: 2019-06-15
In OrangeHRM 4.3.1 and before, there is an input validation error within admin/listMailConfiguration (txtSendmailPath parameter) that allows authenticated attackers to achieve arbitrary command execution.
CVE-2019-12840
PUBLISHED: 2019-06-15
In Webmin through 1.910, any user authorized to the "Package Updates" module can execute arbitrary commands with root privileges via the data parameter to update.cgi.
CVE-2019-12835
PUBLISHED: 2019-06-15
formats/xml.cpp in Leanify 0.4.3 allows for a controlled out-of-bounds write in xml_memory_writer::write via characters that require escaping.