Unsecure RDP Connections are a Widespread Security Failure
While ransomware, last year’s dominant threat, has taken a backseat to cryptomining attacks in 2018, it has by no means disappeared. Instead, ransomware has become a more targeted business model for cybercriminals, with unsecured remote desktop protocol (RDP) connections becoming the favorite port of entry for ransomware campaigns.
RDP connections first gained popularity as attack vectors back in 2016, and early success has translated into further adoption by cybercriminals. The SamSam ransomware group has made millions of dollars by exploiting the RDP attack vector, earning the group headlines when they shut down government sectors of Atlanta and Colorado, along with the medical testing giant LabCorp this year.
Think of unsecure RDP like the thermal exhaust port on the Death Star—an unfortunate security gap that can quickly lead to catastrophe if properly exploited. Organizations are inadequately setting up remote desktop solutions, leaving their environment wide open for criminals to penetrate with brute force tools. Cybercriminals can easily find and target these organizations by scanning for open RPD connections using engines like Shodan. Even lesser-skilled criminals can simply buy RDP access to already-hacked machines on the dark web.
Once a criminal has desktop access to a corporate computer or server, it’s essentially game over from a security standpoint. An attacker with access can then easily disable endpoint protection or leverage exploits to verify their malicious payloads will execute. There are a variety of payload options available to the criminal for extracting profit from the victim as well.
Common RDP-enabled threats
Ransomware is the most obvious choice, since it’s business model is proven and allows the perpetrator to “case the joint” by browsing all data on system or shared drives to determine how valuable it is and, by extension, how large of a ransom can be requested.
Cryptominers are another payload option, emerging more recently, criminals use via the RDP attack vector. When criminals breach a system, they can see all hardware installed and, if substantial CPU and GPU hardware are available, they can use it mine cryptocurrencies such as Monero on the hardware. This often leads to instant profitability that doesn’t require any payment action from the victim, and can therefore go by undetected indefinitely.
Solving the RDP Problem
The underlying problem that opens up RDP to exploitation is poor education. If more IT professionals were aware of this attack vector (and the severity of damage it could lead to), the proper precautions could be followed to secure the gap. Beyond the tips mentioned in my tweet above, one of the best solutions we recommend is simply restricting RDP to a whitelisted IP range.
However, the reality is that too many IT departments are leaving default ports open, maintaining lax password policies, or not training their employees on how to avoid phishing attacks that could compromise their system’s credentials. Security awareness education should be paramount as employees are often the weakest link, but can also be a powerful defense in preventing your organization from compromise.
3 Cyber Threats IT Providers Should Protect Against
3 CYBER THREATS IT PROVIDERS SHOULD PROTECT AGAINST
Tips to Combat Ransomeware:
Tips to combat phishing:
Brute Force Attack
Tips to Combat Brute Force Attack:
Leveraging Common Cyber Attacks to Improve Business
As an IT service provider, it’s important to remember that communication is everything. With clients, I recommend you define what exactly you’re protecting them against in an effort to focus on their top cybersecurity concerns. If you “profile” certain attack vectors using common attacks types, like ransomware, phishing, and brute force attacks, you’ll be able to clearly communicate to clients exactly what it takes to protect against their biggest risks and which technologies are necessary to remain as secure as possible.
Crime and Cryto: An Evolution in Cyber Threats
Cybercriminals are constantly experimenting with new ways to take money from their victims. Their tactics evolve quickly to maximize returns and minimize risk. The emergence of cryptocurrency has opened up new opportunities to do just that. To better understand today’s threat landscape, it’s worth exploring the origins of cryptocurrencies and the progress cybercriminals have made in using it to advance their own interests.
The FBI screen lock
Many readers may remember the infamous FBI lock malware that would pop up and prevent users from using their computer at startup. The malware presented the (false) claim that the victim had downloaded copyrighted material illegally or had watched pornography.
This was a common and successful scam that made millions globally by localizing the “official” police entity in order to legitimize the threat. The money it made was transferred via Ukash and MoneyPak, which were essentially gift cards available at local convenience stores that could be loaded with specified amounts of cash. Victims would enter the pin on the back of the card to pay the criminals.
This method of collecting money wasn’t without risks for criminals, however. If enough victims reported the scam to law enforcement, they would try to find and identify those responsible (attention criminals obviously tried to avoid).
Bitcoin and Silk Road
While the Ukash and MoneyPack scams were still alive and well, another popular and anonymous black market called Silk Road was experimenting with Bitcoin as a payment system.
Silk Road was essentially an underground market on the encrypted dark web for goods otherwise illegal or extremely difficult to purchase in most countries. The site’s buyers and sellers remained effectively anonymous to one another and were almost impossible to track. For years this marketplace thrived and proved the efficacy of Bitcoin as a transactional system. Its success came to an abrupt halt in 2013, however, when the FBI seized Silk Road and arrested its founder
The shutdown initially caused a nosedive in Bitcoin’s market price, but it quickly bounced back to surpass its value even at the height of the Silk Road.
So, what contributed to the shift?
The first variants of Cryptolocker ransomware were seen in late September 2013. In terms of criminal business models, it was an instant success. Soon, many variants were infecting users around the world. Early editions accepted the still widely-used Ukash and MoneyPak as payment, but with a twist. Cryptolocker would provide a discount for Bitcoin payments. The proverbial Rubicon had been crossed in terms of cryptocurrencies receiving preferential treatment from cybercriminals. With ransomware rapidly rising to the top of the threat landscape, Bitcoin saw corresponding growth as fiat currencies were exchanged for it so ransoms could be paid.
Is Bitcoin Anonymous?
Not really. Since all Bitcoin transactions are recorded on a public ledger, they are available for anyone to download and analyze. Each time a victim pays a ransom, they’re given a Bitcoin address to which to send payment. All transactions to and from this address are visible, which, incidentally, is how the success of many ransomware campaigns is measured.
When a criminal wants to cash out Bitcoin, they typically need to use an exchange involving personal identifiable information. So, if a criminal isn’t careful, their victim’s Bitcoin wallet address can be tracked all the way to the criminal’s exchange wallet address. Law enforcement can then subpoena the exchange to identify the criminal. Criminals, however, are often able to keep this situation from unfolding by using tactics that prevent their “cash out” address from being flagged.
For a time, Bitcoin “mixers” offered to clean coins that were widely available on the dark web. Their methods involved algorithms that would split up and send dirty coins of varying amounts to different addresses, then back to another address clean, a process not unlike physical currency laundering. Yet, the process was not foolproof and did not work indefinitely. Once cryptocurrencies had gained significant legitimate adoption, several projects were started to search Bitcoin blockchain transactions for fraudulent activities. Chainalysis is one example.
Ransomware takes multiple cryptocurrencies
In the spring of 2014, a new cryptocurrency arrived. Dubbed Monero, it filled Bitcoin’s shoes, but without a public ledger that could be analyzed. Monero quickly became criminals’ most useful payment system to date. It uses an innovative system of ring signatures and decoys to hide the origin of the transactions, ensuring transactions are untraceable. As soon as criminals receive payment to a Monero wallet address, they’re able to send it to an exchange address and cash out clean, with no need to launder their earnings.
Monero started to see “mainstream” adoption by criminals in late 2016, when certain flavors of ransomware started experimenting with accepting multiple cryptocurrencies as payment, with Bitcoin, Ethereum, Monero, Ripple, and Zcash among the most common.
The Emergence of Crytojacking
Monero has proven useful for criminals not just because it’s private. It also has a proof-of-work mining system that maintains an ASIC resistance. Most cryptocurrencies use a proof-of-work mining system, but the algorithm used to mine them can be worked by a specific chip (ASIC) designed to hash that algorithm much more efficiently than the average personal computer.
The original purpose of crypto-mining scripts, as described by CoinHive, was to monetize site content by enabling visitors’ CPUs to mine Monero for the site’s owners. This isn’t money from thin air, though. Users are still on the hook for CPU usage, which arrives in the form of an electric bill. While it might not be a noticeable amount for one individual, the cryptocurrency mined adds up fast for site owners with a lot of visitors. While CoinHive’s website calls this an ad-free way to generate income, threat actors are clearly abusing the tactic at victims’ expense.
We can see in the image above that visiting this Portuguese clothing website causes the CPU to spike to 100 percent, and the browser process will use as much CPU power as it can. If you’re on a newer computer and not doing much beyond browsing the web, a spike like this may not even be noticeable. But, on a slower computer, just navigating the site would be noticeably sluggish.
Crytojacking becomes 2018's top threat
Cryptojacking via hijacked websites hasn’t even been on the scene for a full year, and already it has surpassed ransomware as the top threat affecting the highest number of devices. After all, ransomware requires criminals to execute a successful phishing, exploit, or RDP campaign to deliver their payload, defeat any installed security, successfully encrypt files, and send the encryption keys to a secure command and control server—without making any mistakes. Then the criminals still have to help them purchase and transfer the Bitcoin before finally decrypting their files. It’s a labor-intensive process that leaves tracks that must be covered up.
For criminals, cryptojacking is night-and-day easier to execute compared to ransomware. A cybercriminal simply injects a few lines of code into a domain they don’t own, then waits for victims to visit that webpage. All cryptocurrency mined goes directly into the criminal’s wallet and, thanks to Monero, is already clean.
That’s why you should expect cryptojacking to be the preferred cyberattack of 2018.
For more analysis of modern cyber threats, including crytojacking, checkout Webroot’s 2018 Threat Report.
A Parent’s Guide to Online Safety
Image Source: windowschimp.com
As the Internet becomes more common in homes across the world, children are using the Internet earlier and earlier. Kids use the Internet for everything from entertainment and games to communication and homework. As they get older, they will undoubtedly begin to experiment with downloading music or videos and exploring socials networking sites. The more they explore online, the more they are at risk from predators and the more they put your PC and privacy at risk. The better educated you are about online risks, the more you will be able to keep your children safe. Webroot has conducted research about the gap between parents’ perceptions and kids’ online reality. We also have a handy guide for you to help you keep your children safe online.
9 Things You Can Teach Kids to Help Improve Online Safety
Before you allow your children to go online without your supervision, make sure you establish a set of rules that you can all agree on.
If you’re not sure where to start, here are some ideas on what to discuss with your kids to teach them about using the internet safely:
- Encourage your kids to share their internet experiences with you. Enjoy the internet along with your children.
- Teach your kids to trust their instincts. If they feel nervous about anything online, they should tell you about it.
- If your kids visit chat rooms, use instant messaging programmes, online video games, or other activities on the internet that require a login name to identify themselves, help them choose that name and make sure it doesn’t reveal any personal information about them.
- Teach your kids the difference between right and wrong is the same on the internet as it is in real life.
- Show your kids how to respect others online. make sure they know that rules for the good behaviour don’t change just because they’re on a computer.
- Insist that your kids respect the property of others online. Explain that making illegal copies of other people’s work – music, video games, and other programs – is just like stealing it from a store.
- Tell your kids that they should never meet online friends in person. Explain that online friends may not be who they say they are.
- Teach your kids that not everything they read or see online in is true. Encourage them to ask you if they’re not sure.
- Insist that your kids never give out your address, phone number, or other personal information, including where they go to school or where they like to play.
Secure and Productive From Day One
Getting workers the right access to the right apps and resources often takes days, even weeks. IT teams are often bogged down by manual processes, leading to downtime, inefficiencies, and possible security risks. And not only do employees need the correct apps and resources when they’re hired, but roles change and employees leave. IT must keep up with all of it – ensuring that access changes when employees change roles and denied when employees leave. Proper offboarding processes are vital to the security of an organization, without which assets are left vulnerable and security risks increase.
Along with service and asset management, identity is essential to the success of an organization’s onboarding and offboarding process. Why? Let’s break down just how the identity of your employees is vital to them receiving or being denied the right access to apps and resources.
Onboarding and Offboarding the Identity Way
Here’s Jeff. He’s a marketing professional at your organization who needs access to a slew of apps and resources (perhaps Marketo, MS Suite, or even Slack for team communication). For Jeff to be provisioned these apps and resources, his identity means everything. What his role is, what computer he uses, where he likes to work (whether at home or at the office), how often he works – all are vital to the onboarding process.
And then, Jeff decides he doesn’t want to be a marketing professional at your organization anymore (perhaps he’s leaving to start his own business selling grass-fed, gluten-free butter). His access to specific apps and important resources should be denied – he won’t need them any longer. The offboarding process will happen in minutes, not months. Jeff’s identity makes it simple and easy to decommission his devices, deny him apps and resources, and ensure your org’s assets are secure.
Employee identity sits at the cornerstone of your organization’s failure or success – without a proper grasp on your employees’ identities, IT has a difficult time enforcing complex access policies while onboarding and offboarding within the ever-changing, hybrid environment of the modern workplace. And if IT struggles, everyone struggles – especially your employee’s productivity.
Identity by Ivanti
Ivanti can help you answer the identity question for your organization. How? Let’s break it down.
The Solution: Automation with Ivanti Identity Director
By automating everything (and yes, we mean everything about the onboarding and offboarding process), IT can address both rising security risks and new, complex technology. Through automation, IT can balance the responsibility of meeting compliance and governance requirements, while also providing workers with more flexibility than ever – that’s a win-win. IT knows your workers’ identities, onboard them accordingly, and they’re free to work effectively, with peace of mind and flexibility, until they need to be offboarded.
How do you achieve this IT-worker win? With Ivanti Identity Director powered by RES, of course!
With an attribute-based approach to identity and access management including automated provisioning, workflows, and self-service, workers are guaranteed access on day one based on their identity, the business remains secure if they ever leave the organization, and IT is free to get on with innovating.
As your organization becomes increasingly dependent on IT services, conventional approaches to managing identities and access and providing services to users just don’t cut it. But, by implementing Ivanti Identity Director powered by RES, your organization can handle the intensifying requirements of onboarding and offboarding processes with ease, efficiency, and excellence.