Threat Update
Hacker group UAS has had 1.3 million RDP credentials for Windows servers leaked by security researchers. The compromised credentials could possibly allow a malicious actor to log into a compromised RDP server. It is imperative to keep best security practices when handling Windows RDP servers, as it could allow an attacker to access confidential information and grant more insight into a network. Best security practices should be applied, including keeping a strong password policy and not having the remote desktop protocol open to the internet.
Technical Detail & Additional Information
WHAT IS THE THREAT?
The usernames and passwords for 1.3 million RDP servers have been leaked by a hacker marketplace. Servers affected would be exposed to threat actors logging in with these compromised credentials. Logging in via RDP is an easy way for an attacker to get confidential information stored within the internal network, pivot within the network, or possibly perform other malicious tasks. The FBI has previously reported that RDP is responsible for 70-80% of all network breaches.
WHY IS IT NOTEWORTHY?
This threat is especially noteworthy due to the high risk that derives from compromised credentials. Once logged into the network, an attacker can deploy various methods to maintain persistence or cause havoc within the network. The security researchers have had access to the database for over three years and have shared it with Vitali Kremez, who has in turn launched a service called RDPwned that allows companies and their admins to check if their servers are listed in the database. It is absolutely imperative to ensure RDP servers are protected and strong password policies are in place to prevent things like this from occurring.
WHAT IS THE EXPOSURE OR RISK?
Once an attacker has been granted access to the network via compromised RDP credentials, an attacker can perform various malicious activities. Maintaining persistence to gather more confidential information may be some attacker’s goals, but others may want to wreak havoc and destroy business operations. For example, threat actors could deploy ransomware within the network or destroy important data critical to business functions. Others could also use their access to the network to steal credit card information or create backdoors for other attackers to access.
WHAT ARE THE RECOMMENDATIONS?
There are various best security practices to follow:
Keep a strong password policy, including but not limited to:
- Ensure passwords are at minimum 8-14 characters, including alphanumeric characters and symbols.
- Set a password expiration policy after 30-90 days.
- Create a password history going back 5 passwords so that users cannot change their password to a previously used password.
- Make sure there is a time limit before users can change their password so that they cannot circumvent the password history.
- Prevent password sharing to ensure that they are secret and known only to the user.
- Implement two factor authentication on RDP servers
- Ensure RDP servers are behind a firewall and are not open to the internet to prevent external threat actors from trying to attack them
- Check whether or not your RDP server has had its credentials compromised with RDPwned: https://rdpwned.adv-gate.com/
- Ensure SKOUT’s Endpoint Protection is installed on the assets that you most critically need to protect.
References:
For more in-depth information about the recommendations, please visit the following links:
- https://www.bleepingcomputer.com/news/security/logins-for-13-million-windows-rdp-servers-collected-from-hacker-market/
- https://www.bleepingcomputer.com/news/security/fbi-says-140-million-paid-to-ransomware-offers-defense-tips/
- https://rdpwned.adv-gate.com/
If you have any questions, please contact our Security Operations Center.
