A presentation at Black Hat recently revealed that the creators of the “SamSam” ransomware have netted over $6M to date, attacking mostly medium-to-large public and private sector organizations. And they’re showing no signs of slowing down.
In the most recent SamSam attacks, the attackers concentrated their efforts on brute-force hacking of weak passwords on devices accessible over the internet using Remote Desktop Protocol (RDP). Searching for devices using a tool such as Shodan will reveal thousands of IP addresses accessible over the Internet on port 3389, the default RDP port. While many devices using RDP may be secure, large numbers likely are not. The combination of efficient search and readily-available brute-force hacking tools allows bad actors to more easily exploit RDP vulnerabilities.
If you’re not using RDP, consider blocking port 3389 at your firewall.
If you are using it, or you don’t know, we recommend taking these steps to help protect your organization from RDP attacks:
– Review your RDP configuration to ensure that it is as secure as possible (patching, updated software, etc.)
– Limit RDP access to only those users and devices that need it.
– Consider enhancing remote desktop security by installing a Remote Desktop gateway.
– Have an “account lockout policy” that will lock out user accounts after a certain number of failed login attempts, which will help thwart brute-force hacking attacks.
– Have a strong password policy.
– Implement two-factor authentication to ensure that a compromised password alone can’t let a bad actor onto your systems.