A Year-long Exponential Rise in RDP Credential Fraud
Over the last year, we’ve seen a rise in the stealing and selling of RDP credentials.
The pandemic has created a prosperous playground for the attackers that have nefarious activities in mind. When working from home, as many employees currently do, the company’s systems might be not as protected from RDP attacks as they would have been in an on-site setting. Without a corporate firewall, a strong password, and a good cybersecurity strategy any company can be at risk.
How Are the Cybercriminal Middlemen Making Big Bucks by Exposing Businesses to Several Risks?
Illicit marketplaces on the dark and even on the surface / clear web are selling access to hacked remote desktops. The trend has greatly intensified over the past year, security researchers report.
This gives the attacker full control over a remote PC with almost no limitations, making RDP access an attractive target for hackers. These hacked servers can be found for sale on hacker forums and marketplaces.
Once inside, attackers exploit unpatched vulnerabilities and exposures (CVEs), databases whose purpose is to standardize the identification of all publicly known security vulnerabilities and exposures. Every CVE entry has a unique identifier.
Listings of the ‘Initial Access Brokers’ type have had a notable increase over the dark web ecosystem, last year alone. The sellers hack into networks, but this is just the beginning, because afterward, they act as middlemen, providing the stolen data to the highest bidder.
What Is an RDP?
Remote Desktop Protocol (RDP) is meant to be a secure, interoperable protocol that enables network terminals.
An RDP’s job is to create secure connections between the clients and the servers or virtual machines.
RDP works across different Windows operating systems and devices.
This is why this type of protocol is the most sought-after listing by cybercriminals. Through RDPs they can get access to an entire corporate network because the attack starts from perfectly legitimate login credentials. Thus, they can remotely control a computer, without the system recognizing the fact that this nefarious activity is taking place.
Why Is This Happening?
The rise we are seeing in remote working is exposing the unprepared companies to multiple security risks.
The main aspect to be considered is still the quality and strength of the passwords that the system has put in place. Weak passwords are one of the most common points of entry and maybe one of the first aspects that you need to take care of.
How Much Does This Type of Data Cost?
The prices aren’t low, as expected, because data is right now one of the most sought-after assets and the demand for it is quite high.
A listing will be starting at around $10.000, but the prices only go up from here, depending on the number of machines the buyer would be able to access and therefore exploit.
Often the target falls into the trap of these ransomware gangs (such as Egregor), which can issue ransom demands of hundreds of thousands or even millions of dollars.
This phenomenon is what cybersecurity specialists call RaaS (Ransomware-as-a-Service), a business model’ that relies on groups that can provide malware or access points to the interested parties.
That’s not all, often these ransomware gangs are publishing the stolen data online, even if the ransom is paid. That exposes companies (and their clients) to an entire host of GDPR-related issues.
How Can You Stay Safe?
Your organization should have a solid strategy in place in order to ensure the security of remote work when it’s required. Some of the small but effective steps you can take towards protecting your data could be:
- Refuse RDP connections over the open Internet;
- Use only complex passwords and multi-factor authentication;
- When a user has too many login attempts they can be temporarily blocked;
- Use an RDP gateway;
- Limit Domain Admin account access;
- Minimize the number of local admins;
- Use a firewall to restrict access;
- Enable Restricted Admin mode;
- Enable Network Level Authentication (NLA).
A great way to protect your company against RDP attacks is to opt for Heimdal™’s Next-Gen Antivirus & MDM.
These should be a good starting point for your company’s journey towards a safer data environment.