Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

5/17/2018
02:30 PM
Matt Ahrens
Matt Ahrens
Commentary
50%
50%

The Risks of Remote Desktop Access Are Far from Remote

RDP is used by fraudsters to steal and monetize data more often than you might think. But there are ways to stay safe.

No one wakes up thinking "today's the day I'm going to be hacked." Even though we've all seen big-name companies fall prey to cyberattacks, the majority of business owners don't think one will ever happen to them. They're wrong. Breaches at Target, Home Depot, and Equifax may capture all of the attention, but software commonly used by many small businesses makes them far more attractive targets to hackers.

The software? Remote Desktop. Many businesses use Remote Desktop to facilitate network access for remote employees over the Internet. But by granting such access, these businesses have made it much more likely they'll be targeted and hacked. Over a 10-year career providing incident response and forensics following data breaches, I've seen thousands of companies crippled by the exploitation of remote access points. And I've seen how quickly and effectively fraudsters leverage hijacked computers to steal and monetize data, and how they've used such access to take control of entire networks.

What Is Remote Desktop?
The Remote Desktop Protocol (also known as RDP) is used to allow remote access to a computer. After logging in, you can control that computer remotely in almost the same way you control your own computer. RDP is very easy to use and widely implemented. Remote Desktop even comes built-in to most versions of Microsoft Windows. When used within a private network, it's a very powerful business tool. Unfortunately, it's not secure enough to safely expose to the Internet.

Imagine a small (fictional) CPA firm, Joe's Taxes. Joe's Taxes has three partners and five accountants. What's the easiest way for all eight team members to access a single server with specialized accounting and tax software? You guessed it: RDP.  

With a Remote Desktop setup, Joe can access his tax server and client data from anywhere, as can his partners and employees. This is not only convenient but increases productivity in Joe's office. Joe's employees can now collaborate on projects and remotely access documents that are securely stored and backed up in the office.

What Could Go Wrong?
Criminals, aware of the valuable information in the possession of businesses like Joe's, are also keen to remotely access this data. So keen that they've developed a wide array of tools to continuously look for remote access points on the Internet. Services such as Censys.io and Shodan.io, designed to map assets on the Internet, can also be used to discover potentially vulnerable targets. 

With remote access to a network, not only can criminals access sensitive information and hijack login credentials and identities, they can also use such access to deploy ransomware, such as the "SamSam" gang or Dharma ransomware. Even the access alone is worth something. Criminals routinely buy and sell Remote Desktop credentials in criminal markets such as xDedic. Pricing is driven by where the server is located, what software it's running, and other attributes that signal its value to the criminal marketplace. You can bet that our fictional CPA firm would fetch a decent price. (See, for example, this Kaspersky report).

How Does This Work?
Once a firm is targeted, it's surprisingly easy to overcome the password protections in place. This is largely because there is only one factor to defeat: the password itself. In the absence of a multifactor authentication mechanism such as a text, phone call, or randomly generated token, the hacker is free to guess a user's password. With enough computing power, this is a process that can take only a few hours. Moreover, as a business adds more accounts over time, old unused accounts create an even larger surface to attack. Hackers also have access to billions of compromised credentials from past data breaches. Returning to our example, if even one of Joe's employees reused a password that was already breached, no guessing is required!

In reality, hackers have largely automated this process. Once they have a "hit," such as Joe's Taxes' server, they quickly identify all of the attributes of that server, including the fact that it has tax software installed, prior to putting it up for sale. At this point, any criminal can purchase access to Joe's server, from which they can steal information or impersonate Joe, including making fraudulent filings to the IRS.

How Widespread Is This Risk?
At Coalition, we detect Remote Desktop on the Internet in over 30% of the companies we underwrite for cyber insurance. These access points tend to be concentrated in smaller businesses, as well as those that manage IT services. At the time I wrote this, our underwriting platform had identified over 3 million IP addresses with RDP available on the Internet, 900,000 of which are located in the United States.

Our fictional CPA firm is a great example of the risks of using RDP on the Internet. It is estimated that tax scams defrauded over $21 billion in 2016 alone, much of it facilitated by precisely this attack. However, CPA firms aren't alone. Any company that enables RDP access of the Internet is a target, and the consequences can be severe.

What You Can Do
The first, and most obvious, solution is to remove Remote Desktop from the Internet, even if not entirely. Access can be restricted behind a secure virtual private network or to known users using firewall rules. Alternatively, or in addition, a multifactor authentication mechanism can be implemented to augment traditional password authentication. A number of such solutions are available (some for free) that are compatible with RDP. 

Related Content:

Matt Ahrens leads the Security Team at Coalition, the leading technology-enabled cyber insurance solution, combining comprehensive insurance and free cybersecurity tools to help businesses manage and mitigate cyber-risk. Prior to Coalition, he co-founded The Crypsis Group, a ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
AviatorBobo
50%
50%
AviatorBobo,
User Rank: Apprentice
6/22/2018 | 7:51:19 AM
Isnt Bandwith a factor also?
Dear Matt,

 

Thank you for a great article, with the coolest ever heading! :) My name is Mehmet, and I work at a Danish company called Secomea... We work with secure remote access for factories, and the likes... When you say that "With enough computing power, this is a process that can take only a few hours."? :) Is this really enough? I would guess that there are only so many re-tryes, before that connection is banned...? And what about the bandwith of the company that is being attacked in this way...? Isnt that a limiting factor also? :)
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: -when I told you that our cyber-defense was from another age
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-1817
PUBLISHED: 2019-11-20
MediaWiki before 1.19.4 and 1.20.x before 1.20.3 contains an error in the api.php script which allows remote attackers to obtain sensitive information.
CVE-2013-2091
PUBLISHED: 2019-11-20
SQL injection vulnerability in Dolibarr ERP/CRM 3.3.1 allows remote attackers to execute arbitrary SQL commands via the 'pays' parameter in fiche.php.
CVE-2012-1257
PUBLISHED: 2019-11-20
Pidgin 2.10.0 uses DBUS for certain cleartext communication, which allows local users to obtain sensitive information via a dbus session monitor.
CVE-2013-1816
PUBLISHED: 2019-11-20
MediaWiki before 1.19.4 and 1.20.x before 1.20.3 allows remote attackers to cause a denial of service (application crash) by sending a specially crafted request.
CVE-2011-4455
PUBLISHED: 2019-11-20
Multiple cross-site scripting vulnerabilities in Tiki 7.2 and earlier allow remote attackers to inject arbitrary web script or HTML via the path info to (1) tiki-admin_system.php, (2) tiki-pagehistory.php, (3) tiki-removepage.php, or (4) tiki-rename_page.php.