Staying Safe from RDP Brute Force Attacks. Best Practices to Protect Your Organization
One game we like to play while taking in the sights and sounds of interstate driving is the old classic: “What am I?” It is a simple game to play: a family member simply thinks of a household item, or an animal, fruit or vegetable, and the other members try to guess what they “are” by asking a series of Yes or No questions. My kids also own the “official” board game style version of this game called, HedBanz. The only twist or alteration to its rules, is that each player will wear a headband on their forehead that contains a card, displaying an animal, tool, food, etc., that they themselves must guess by asking similar Yes or No questions. The first player to guess their own card, wins. And the saying, “there’s an app for it” also holds true for the “What am I” game as well: the most popular is the ‘Head’s Up!’ app made famous on The Ellen DeGeneres Show where her guests place cellphones on their foreheads and try to guess things like blockbuster movies, superstars, etc.
As families begin packing their suitcases and flocking to beaches and state parks, guessing games and apps like “What am I” or “Head’s Up!” will kick into gear for the Summer. However, I am also witnessing cybercriminals increase their guessing games in 2018 as well! Unfortunately, the straight-forward, time-passing fun of popular children games, is not what I am referring to. Cyber attackers aren’t interested in pacifying time but rather on breaching networks and client systems alike, stealing valuable information and inflicting (many times) unrepairable damage on your computer systems. They are achieving this using a technique called Brute-Force Attack.
A brute-force attack involves targeting servers and workstations directly, rather than indirectly (i.e. Relying on a user to open an attachment, click a link, etc.) and looking for an opening or hole into the system. In most cases an attacker (or the attacker’s tool) will attempt to guess the user’s password by trying passwords or passphrases repeatedly, with the goal of guessing correctly. An industry specific term for the guessing of passwords is called “password spraying”. As a note to those of us that are not yet taking the concept of strong-passwords seriously, there are many easily available brute force techniques that can effectively crack weak passwords.
In many of the recent cases of new ransomware samples or other destructive malware I’ve analyzed, I have observed that cybercriminals are specifically using a RDP (Remote Desktop Protocol) brute force attack. In an RDP brute force attack, the attacker scans a list of IP ranges for the default RDP port 3389 looking for open connection. Once a port is found, the brute force attack is launched. The brute force technique uses a trial and error password guessing attack with a list of commonly used credentials, paraphrases, dictionary words, and other combinations. Once access is established, the attacker can disable the system’s antivirus, firewall and other in-place security measures so that the malware payload can run without detection. This means that even if the user or administrator had the very best, top-notch antivirus installed (Thirtyseven4 Endpoint Security anyone?) and was diligently keeping it updated to protect against the thousands of new malwares added daily, turning off the protection renders the system powerless. Again, the damage done by the executed malware can be irreversible and could open the possibility for future attacks and confidential information to be stolen and later released causing significant embarrassment to the user or organization.
While our built-in Thirtyseven4 Firewall feature will effectively prevent RDP brute force attacks by allowing only trusted IP addresses from accessing the system via remote desktop, I wanted to mention a few other tips and suggestions that can be put into practice by everyone.
Some best practices to help prevent Brute-Forced attacks:
- Use strong and unique passwords on user accounts that cannot be easily guessed. Weak passwords like admin, admin123, qwerty, 123456, password, spot (don’t we all have a dog named ‘spot’), etc., can be easily brute forced in just a first few attempts. Always remember the saying there is “Strength in Length”. Your passwords should not only contain a mix of Uppercase, Lowercase and Special characters but it should also be at least 12 characters long.
- In addition to installing strong client-based security software, make sure to configure your endpoint security software settings with password protection. Doing so would prevent any unauthorized users that may have breached, or gain accessed to the system from disabling or uninstalling it. Thirtyseven4 users can enable this feature from the Settings => Password Protection.
- Disable the Administrator account and use a different account name for administrative activities. Most brute-force attempts are done on an Administrator user account as it is present by default.
- Remove any other unused or guest accounts, especially those listed under the Administrator account. You may have the strongest login credentials on this side of the Mississippi, but if the older default Admin\Admin account created by your former colleague was never disabled or deleted, your system is open for business.
- Take the time to change the default RDP port from the default location of 3389. While a full port scan done by the attacker would still reveal available ports, most RDP attacks focus on targeting port 3389.
- Enable Network Level Authentication (NLA) feature in your RDP settings available in Windows Vista and later OS. https://technet.microsoft.com/en-us/library/cc732713.aspx
- Configure Account Lockout Policies that will automatically lock an account after a specific number of failed attempts. https://technet.microsoft.com/en-us/library/dd277400.aspx
While games like “What am I” and “Hedbanz” can bring smiles and pass the time on a road trip, playing games with your network security is no laughing matter. Harmless questions to win a game are in stark contrast to the repeated barrage of password attempts cybercriminals have programmed to penetrate your Network until they find an “in”.
While students enjoy their summer break from school and many families plot and plan summer vacations (and activities for the ride), always be aware that not everyone is lounging around in the months of June, July and August. Cybercriminals are still hard at work exploiting you, your business and your livelihood. Remain vigilant, and utilize the above tips to arm yourself in the battle.
Let’s check ourselves with a little game of Cybersecurity “Who Am I?”
Do I use strong passwords (12+ characters)?
Do I use strong AV software, including password protection?
Have you disabled your Administrator Account and used a different account name?
Have you removed Guest and Unused accounts?
Have you switched your default RDP port away from 3389?
Have you enabled the Network Level Authentication (NLA) feature in your RDP settings?
Have you configured Account Lockout Policies?
Winner! And even better than winning a round of “Who Am I”, by ensuring these policies are met, you have won the privacy to your data, your information, and your piece of mind. Now that’s worth playing for!