The COVID-19 pandemic has radically changed the nature of daily work, forcing employees to do much of their work through remote access. Aware of the change of scenery, cyber criminals - especially ransomware operators - try to exploit new opportunities to increase their profits. Data provided by ESET telemetry confirms this trend with the increase in the number of unique clients reporting brute force attack attempts that were blocked by ESET network attack detection technology.
Before the period of confinement, many of the collaborators who are working remotely today used to do it from the office and used infrastructure monitored and controlled by their IT department. But the new coronavirus pandemic caused a major change in the daily dynamics of many sectors globally. Today, a large percentage of “office” work is done through home devices with collaborators who access confidential company systems through Windows Remote Desktop Protocol (RDP), a Solution created and patented by Microsoft to allow connection to the corporate network from remote computers.
What is the duty of an architect
Related reading: 42% of companies were not prepared to telework safely
Despite the growing importance of RDP (as well as other remote access services), organizations often neglect its proper configuration and protection. Contributors use easy-to-guess passwords and do not make use of additional layers of authentication or protection, making it easier for cybercriminals to compromise an organization's systems.
That is probably also the reason why RDP has become such a popular attack vector in recent years, especially among ransomware operators. These cybercriminals often: carry out brute force attacks targeting poorly secured networks, raise their permissions to the administrator level, and then disable or uninstall security solutions to finally run ransomware that encrypts data that is crucial to the victim.
The data provided by ESET telemetry (see Figure 1), demonstrate the notable increase in the number of unique clients who reported an attack attempt via RDP.
Figure 1. Trend of attack attempts via RDP against unique clients (per day), detected by ESET technologies
Protection against brute force attacks
To address the risk of increased RDP use, ESET researchers have devised a new detection layer that is hidden within the ESET Network Attack Protection engine and is designed to block incoming brute force attacks from external IP addresses, considering both RDP and SMB protocols.
Called ESET Brute-Force Attack Protection, this new security layer detects clusters of failed login attempts from external environments, suggesting an incoming brute-force attack, and then blocks more attempts. Subsequently, the IP addresses corresponding to the most important attack attempts are added to a blacklist that protects millions of other devices from future attacks.
New technology has proven effective against both random and targeted attacks. For it to work properly, the RDP Network Level Authentication (NLA) option must be enabled on the server.
According to the data provided by ESET telemetry, most of the IPs blocked between January and May 2020 were detected in the United States, China, Russia, Germany and France (see Figure 2).
Figure 2. Countries with the highest number of blocked IP addresses (between January 1 and May 31, 2020).
The countries with the largest percentage of targeted IP addresses were Russia, Germany, Japan, Brazil, and Hungary (see Figure 3).
Figure 3. Countries in which the majority of brute force attacks were recorded according to ESET telemetry data (between January 1 and May 31, 2020).
How to configure remote access correctly
However, even with protection measures like ESET Brute-Force Attack Protection, organizations must keep their remote access configured correctly. For this, we offer some recommendations below:
Disable RDP services exposed to the internet. If that is not possible, minimize the number of users who can connect directly to the organization's servers over the Internet.
Require strong and complex passwords for all accounts that can log in through RDP.
Use an additional layer of authentication ( MFA / 2FA ).
Install a virtual private network ( VPN ) gateway as an intermediary for all RDP connections from outside your local network.
In the perimeter firewall, disable external connections to local machines on port 3389 (TCP / UDP) or any other RDP port.
Protect your security software against possible alterations or uninstalls by setting a password to make changes to its configuration.
Isolate any unsafe or obsolete computers that must be accessed from the Internet using RDP and replace them as soon as possible.
See the article by renowned ESET researcher Aryeh Goretsky for a detailed description of how to correctly configure your RDP connection .
Most of these best practices apply to FTP, SMB, SSH, SQL, TeamViewer, VNC and other services as well.
Before the period of confinement, many of the collaborators who are working remotely today used to do it from the office and used infrastructure monitored and controlled by their IT department. But the new coronavirus pandemic caused a major change in the daily dynamics of many sectors globally. Today, a large percentage of “office” work is done through home devices with collaborators who access confidential company systems through Windows Remote Desktop Protocol (RDP), a Solution created and patented by Microsoft to allow connection to the corporate network from remote computers.
What is the duty of an architect
Related reading: 42% of companies were not prepared to telework safely
Despite the growing importance of RDP (as well as other remote access services), organizations often neglect its proper configuration and protection. Contributors use easy-to-guess passwords and do not make use of additional layers of authentication or protection, making it easier for cybercriminals to compromise an organization's systems.
That is probably also the reason why RDP has become such a popular attack vector in recent years, especially among ransomware operators. These cybercriminals often: carry out brute force attacks targeting poorly secured networks, raise their permissions to the administrator level, and then disable or uninstall security solutions to finally run ransomware that encrypts data that is crucial to the victim.
The data provided by ESET telemetry (see Figure 1), demonstrate the notable increase in the number of unique clients who reported an attack attempt via RDP.
Figure 1. Trend of attack attempts via RDP against unique clients (per day), detected by ESET technologies
Protection against brute force attacks
To address the risk of increased RDP use, ESET researchers have devised a new detection layer that is hidden within the ESET Network Attack Protection engine and is designed to block incoming brute force attacks from external IP addresses, considering both RDP and SMB protocols.
Called ESET Brute-Force Attack Protection, this new security layer detects clusters of failed login attempts from external environments, suggesting an incoming brute-force attack, and then blocks more attempts. Subsequently, the IP addresses corresponding to the most important attack attempts are added to a blacklist that protects millions of other devices from future attacks.
New technology has proven effective against both random and targeted attacks. For it to work properly, the RDP Network Level Authentication (NLA) option must be enabled on the server.
According to the data provided by ESET telemetry, most of the IPs blocked between January and May 2020 were detected in the United States, China, Russia, Germany and France (see Figure 2).
Figure 2. Countries with the highest number of blocked IP addresses (between January 1 and May 31, 2020).
The countries with the largest percentage of targeted IP addresses were Russia, Germany, Japan, Brazil, and Hungary (see Figure 3).
Figure 3. Countries in which the majority of brute force attacks were recorded according to ESET telemetry data (between January 1 and May 31, 2020).
How to configure remote access correctly
However, even with protection measures like ESET Brute-Force Attack Protection, organizations must keep their remote access configured correctly. For this, we offer some recommendations below:
Disable RDP services exposed to the internet. If that is not possible, minimize the number of users who can connect directly to the organization's servers over the Internet.
Require strong and complex passwords for all accounts that can log in through RDP.
Use an additional layer of authentication ( MFA / 2FA ).
Install a virtual private network ( VPN ) gateway as an intermediary for all RDP connections from outside your local network.
In the perimeter firewall, disable external connections to local machines on port 3389 (TCP / UDP) or any other RDP port.
Protect your security software against possible alterations or uninstalls by setting a password to make changes to its configuration.
Isolate any unsafe or obsolete computers that must be accessed from the Internet using RDP and replace them as soon as possible.
See the article by renowned ESET researcher Aryeh Goretsky for a detailed description of how to correctly configure your RDP connection .
Most of these best practices apply to FTP, SMB, SSH, SQL, TeamViewer, VNC and other services as well.
No comments:
Post a Comment