Organizations Leave Backdoors Open to Cheap Remote Desktop Protocol Attacks By John Fokker

Organizations Leave Backdoors Open to Cheap Remote Desktop Protocol Attacks By John Fokker

While researching underground hacker marketplaces,the McAfee Advanced Threat Researchteam has discovered that access linked to security and building automation systems of a major international airport could be bought for only US$10.

The dark web contains RDPshops, online platforms sellingremote desktop protocol (RDP) access to hacked machines,from which one can buy logins to computer systems to potentially cripple cities and bring down major companies.

RDP, a proprietary protocol developed by Microsoft that allows a user to access another computer through a graphical interface, is a powerfultool for systems administrators.In the wrong hands, RDP can be used to devastating effect. The recent SamSam ransomware attacks on several American institutionsdemonstrate how RDP access serves as an entry point. Attacking a high-value network can be as easy and cheap as going underground and making a simple purchase. Cybercriminals like the SamSam group only have to spend an initial $10 dollars to get access and are charging$40K ransom for decryption, not a bad return on investment.

Shops explained
Security maven Brian Krebswrote the article“Really Dumb Passwords” in 2013.That short phrase encapsulates the vulnerability of RDP systems.Attackers simply scan the Internet for systems that accept RDP connections and launch a brute-force attack withpopular tools such as, Hydra, NLBrute or RDP Forcer to gain access. These tools combine password dictionaries with the vast number of credentials stolen in recent large data breaches. Five years later, RDP shops are even largerand easier to access.

The McAfee Advanced Threat Research team looked at several RDP shops, ranging in size from 15 to more than 40,000 RDP connections for sale at Ultimate Anonymity Service (UAS), a Russianbusiness and the largest active shop we researched. Wealso looked atsmaller shops foundthrough forum searches and chats. During the course of our research we noticed that the size of the bigger shops varies from day to day with about 10%. The goal of our research was not to create a definitive list of RDP shops;rather,we sought a better understanding of the general modus operandi, productsoffered, and potential victims.

RDP access by cybercriminals
How do cybercriminals (mis)use RDP access?RDP was designed to be an efficient way to access a network. By leveraging RDP, anattackerneed not create a sophisticated phishing campaign, invest in malware obfuscation, use an exploit kit, or worry about antimalware defenses. Once attackers gain access, they are in the system. Scouring the criminal underground, we found the top uses of hacked RDP machines promoted by RDPshops.

False flags: Using RDP access to create misdirection is one of the most common applications. While preserving anonymity, anattacker can make it appear as if his illegal activity originatesfrom the victim’s machine, effectively planting a false flag forinvestigators and security researchers.Attackers can plant this flag by compiling malicious code on the victim’s machine, purposely creating false debugging paths and changing compiler environment traces.

Spam:Just as spammers use giant botnets such as Necrus and Kelihos, RDP access is popular among a subset of spammers. Some of the systems we found for sale are actively promoted for mass-mailing campaigns, and almost all the shops offer a free blacklist check, to see if the systems were flagged by SpamHaus and other antispam organizations.

Account abuse, credential harvesting, and extortion:By accessing a system via RDP, attackers can obtain almost all data stored on a system. This information can be used for identity theft, account takeovers, credit card fraud, and extortion, etc.

Cryptomining:In the latest McAfee Labs Threats Report, we wrote about the increase in illegalcryptocurrency mining due to the rising market value of digital currencies.We found several criminal forums actively advertising Monero mining as a use for compromised RDP machines.

Ransomware: The large majority of ransomware is still spread by phishing emails and exploitkits. However, specialized criminal groups such as SamSamare known to use RDP to easily enter their victims’ networks almost undetected.
RDP shop overview

Systems for sale:The advertised systemsranged from Windows XP through Windows 10. Windows 2008 and 2012 Server were the most abundant systems, witharound 11,000 and 6,500,respectively,for sale.Prices ranged from around US$3for a simple configuration to $19for a high-bandwidth system that offered access withadministrator rights.

Third-party resellers:When comparing “stock” among several RDPshops, we found that the same RDP machines were sold at different shops, indicating that these shops act as resellers.

Windows Embedded Standard:Windows Embedded Standard, now called Windows IOT, is used in a wide variety of systems that require a small footprint. These systems can range from thin clients to hotel kiosk systems, announcement boards, point-of-sale (POS) systems, and even parking meters among others.

Among the thousands of RDP-access systems offered,some configurations stood out. We found hundreds of identically configured Windows Embedded Standard machinesfor sale at UASShop and BlackPass; all these machines were in the Netherlands. This configuration was equipped with a 1-GHz VIA Eden processor. An open-source search of this configuration revealed that it is most commonly used in thinclients and some POS systems. The configurations are associated with several municipalities, housing associations, and healthcare institutions in the Netherlands.

Thinclient and POS systems are often overlooked and not commonly updated,making them an ideal backdoor target for an attacker.Although these systems have a small physical footprint, the business impact of having such a system compromised shouldnot be underestimated. As we’ve observed from previous breaching of retailers leveraging unpatched or vulnerable POS systems, the damage extends far beyond financial only, including customer perception and long-term brand reputation. In regard to the current affected systems we discovered, McAfee has notified theidentified victimsand is working to learn further detail on why and how these identical Windows systems were compromised.

Government and healthcare institutions:We also came acrossmultiple government systems being sold worldwide, including those linked tothe United States, and dozens ofconnections linked to healthcare institutions, from hospitals and nursing homes to suppliers of medical equipment. In a March blog post, the Advanced Threat Research team showed the possible consequences of ill-secured medical data and what can happen when an attacker gains access to medical systems. It is very troublesome to see that RDP shops offer an easy way in.

Additional products for sale
In addition to selling RDP, some of these shops offer a lively trade in social security numbers, credit card data, and logins to online shops. The second-largest RDP shop we researched, BlackPass, offered thewidest variety of products. The most prolific of these brokers provide one-stop access to all the tools used to commit fraud: RDP access into computers, social security numbers and other integral data to set up loans or open bank accounts.

For legal and ethical reasons, we did not purchase any of the products offered.Therefore,we cannot determine the quality of the services.

RDP ransomware attack scenario
Is it possible to find a high-value victim using an RDPshop? The Advanced Threat Research team put this theory to the test. By leveraging the vast amounts of connections offered by the RDP shops, we were able to quickly identify a victim that fits the profile of ahigh-value target in the United States.

We founda newly posted (on April 16) Windows Server 2008 R2 Standard machineon the UAS Shop. According to the shop details,it belonged to a city in the United States and for a mere $10 we could get administrator rights to this system.

UAS Shop hides the last two octets the of the IPaddresses of the systems it offers for sale andcharges a small fee for the complete address. (We didnot pay for any services offered by UASor any other shop.)To locate the system being sold, we usedshodan.ioto search for any open RDP ports at that specific organization using this query:
org:”CityXXX” port:”3389”

The results were far more alarming than we anticipated. The Shodan search narrowed 65,536 possible IPs tojust three that matched our query. By obtaining a complete IPaddress we could now look up theWHOIS information, which revealed that all the addresses belonged to a major
International airport. This is definitely not something you want to discover on a Russian underground RDP shop, but the story gets worse.

From bad to worse
Two of the IP addresses presented a screenshot of the accessible login screens.

A closer look at the screenshots shows that the Windows configuration(preceding screen) is identical to the system offered in the RDP shop. There are three user accounts available on this system, one of which is the administrator account. The names of the other accounts seemed unimportant at first but after performing several open-source searches we found that the accounts were associated with two companies specializing in airport security; one in security and building automation, the other in camera surveillance and video analytics.We didnot explore the full level of access of these accounts, but a compromise could offer a great foothold and lateral movement through the networkusing tools such as Mimikatz.

Looking at the other login account (preceding screen), we sawit is part of the domain with a very specific abbreviation. We performed the same kind of search on the other login account and found the domain is most likely associated with the airport’s automated transit system, the passenger transport system that connects terminals.It is troublesome that a system with such significant public impact might be openly accessible from the Internet.

Now we know that attackers, like the SamSam group, can indeed use an RDPshop to gain access to a potential high-value ransomware victim. We found that access to a system associatedwith a major internationalairport can be bought for only $10—with no zero-day exploit, elaborate phishing campaign, or watering hole attack.

To publish our findings, we have anonymized the data to prevent any disclosure of sensitive security information.

Basic forensic and security advice

Playing hide and seek
Besides selling countless connections, RDP shops offertips on how to remain undetected whenanattacker wants to usethe freshly bought RDP access.

The UAS Shop offers a zip file with a patchto allow multiuser RDP access, although it isnot possible by default on some Windows versions. The zip file contains two .reg files that alter the Windows registry and a patch file that alters termsvrl.dll to allow concurrent remote desktop connections.

These alterations to the registry and filesleave obvious traceson a system.Those indicators can be helpful when investigating misuse of RDP access.

In addition to checking for these signs, it is good practice to check the Windows event and security logs for unusual logon types and RDP use. The following screen, from the well-known SANS Digital Forensics and Incident Response poster, explains where the logs can be found.

Basic RDP security measures

Outside access to a network can be necessary,but it alwayscomes with risk. We have summarized some basic RDP security measures:

• Using complex passwords and two-factor authentication will make brute-force RDP attacks harder to succeed
• Donot allow RDP connections over the open Internet
• Lockout users and block or timeout IPs that have too many failed login attempts
• Regularly check event logs for unusual login attempts
• Consider using an account-naming convention that doesnot reveal organizational information
• Enumerate all systems on the network and list how they are connected and through which protocols.This also applies for Internet of Things and POSsystems.

Remotely accessing systems is essential for system administrators to perform their duties.Yet they must take the time to setup remote access in a way that is secure and not easily exploitable. RPD shops are stockpiling addresses of vulnerable machines and have reduced the effort of selecting victimsby hackers to a simple online purchase.

Governments and organizations spend billions of dollars every year to secure the computer systems we trust. But even a state-of-the-art solutioncannot provide security when the backdooris left open or carries only a simple padlock. Just as we checkthe doors and windows when we leave our homes,organizations must regularlycheck which services are accessible from the outside and how they are secured. Protecting systems requiresan integrated approachof defense in depth and proactiveattitudesfrom every employee.