Attackers target critical flaw in popular networking gear

The vulnerability, which received the highest possible severity score, leaves thousands of devices at risk of being taken over by remote attackers. A patch is available.

F5 Networks, one of the world’s leading providers of enterprise networking equipment, has recently published a security advisory about a critical vulnerability that impacts its BIG-IP multi-purpose networking devices and “may result in complete system compromise”. The company has also released a patch plugging the security hole, all the while multiple security experts report that attackers are already deploying exploits targeting the flaw.

Evidence of miscreants actively trying to exploit the vulnerability was recorded as early as July 4th, with the first attempts coming out of Italy. NCC Group also recorded increased activity over the next few days on the honeypots that it’d set up to bait potential attackers.

Other researchers have publicly shared proof-of-concept (PoC) exploits for the vulnerability, showing how easy it is to compromise unpatched devices.

TMSH access in a matter of minutes 😱 (CVE-2020-5902). Of course this does require access to the management interface. pic.twitter.com/FcR2zRZBG9

— Yorick Koster (@yorickkoster) July 5, 2020

Indexed as CVE-2020-5902, the remote execution code (RCE) vulnerability in the Traffic Management User Interface (TMUI) of a line of BIG-IP products holds the “perfect” score of 10.0 on the Common Vulnerability Scoring System (CVSS) severity scale. According to Mikhail Klyuchnikov, a researcher at Positive Technologies who discovered the critical flaw, a hacker with access to the BIG-IP configuration utility could exploit the device remotely without authentication.

“The attacker can create or delete files, disable services, intercept information, run arbitrary system commands and Java code, completely compromise the system, and pursue further targets, such as the internal network. RCE in this case results from security flaws in multiple components, such as one that allows directory traversal exploitation,” he added.

Klyuchnikov also uncovered another, though less severe, vulnerability in BIG-IP that earned a severity score of “only” 7.5. Tracked as CVE-2020-5903, the cross-site scripting vulnerability in the BIG-IP configuration interface could allow a cybercriminal to run malicious code with the same rights as a logged-in user. Successful exploitation of the flaw could even lead to a full compromise of the device.

While F5 Networks disclosed the vulnerabilities and released patches last Wednesday, many devices remain unpatched. The United States Cyber Command also issued an alert about the flaws and urged everyone do install the updates post-haste. F5 Networks counts 48 out of the Fortune 50 among its clients and its devices are used by governments as well.

URGENT: Patching CVE-2020-5902 and 5903 should not be postponed over the weekend. Remediate immediately. https://t.co/UBKECuN7Vv

— USCYBERCOM Cybersecurity Alert (@CNMF_CyberAlert) July 3, 2020

At the time of the warning, a Shodan search turned up more than 8,000 BIG-IP devices connected to the internet. If your company uses any of the affected devices, you should patch them immediately. F5’s security advisories for both CVE-2020-5902 and CVE-2020-5903 feature the full list of affected devices and remediation steps.

7 Jul 2020 – 05:57PM

Raising children in the social media limelight? Pause before you post

How (over)sharing your children’s triumphs and antics with the world may impact their immediate and distant future – and how to reduce the risks of ‘sharenting’

Most people like to share glimpses of their personal lives on social media, ranging from sports activities and delicious food to achievements and special moments. These are usually shared with their network of family, friends, and sometimes followers. The usual reason is strengthening bonds, since your family and friendship circle can be dispersed all around the globe.

Those who are also parents often post photos of their children from a very early age, sometimes even in the form of ultrasounds. Strictly speaking, their children have a digital presence before they’re even born. And the sharing doesn’t stop there: teething, first steps, potty training, and a wide assortment of other achievements that some parents like to share well into their children’s teenage years.

The phenomenon of (over)sharing content involving one’s kids on social media has even earned its own name – sharenting. It’s all right to feel the need to document your children growing up, but it’s not OK to share their every waking moment on social media for everyone to see. Here are some reasons why.

Ultimately, it’s not your information

Although most parents obviously have the best interests of their children at heart, they also tend to be the biggest violators of their children’s privacy. According to a recent report from the Children’s Commissioner of England, parents post an average 1,300 photos and videos of their children by the age of 13. While parents share various aspects of their children’s lives with the best intentions, they should thoroughly think about what impact the sharing of this information could have for their children in the future. As their progeny grow up, some of the photos and details they have shared may have far-reaching consequences, which they are unaware of at the moment.

For example, parents may share pictures of their kids sporting T-shirts showing support for a political party or cause, with which their children might not want to be affiliated or even agree with when they grow up. Furthermore, it could prove difficult for them to shed the reputation their parents may have unintentionally cultivated for them by inappropriate sharenting.

While sharing the images of children is at the discretion of the parents when they are too young to understand or care, there comes a point where you have to have a discussion on posting about them on social media. You should make a set of rules on what content is acceptable and respect their opinions on the matter, including in what actually gets posted.

If you think the idea is novel, you’d be mistaken. Gwyneth Paltrow was called out by her daughter Apple Martin for not asking for her consent when the actress shared a mom-daughter photo. “Mom we have discussed this. You may not post anything without my consent,” wrote Apple, who was 14 at the time.

What am I sharing? And with whom?

Data on the internet is, by design, usually searchable, shareable, and long-lasting. Or in other words “what goes on the internet, usually stays there”. An important tidbit of internet etiquette that is frequently repeated is that you should think twice about what you’re sharing, something that should apply tenfold if you’re sharing someone else’s information, like your child’s.

Nonetheless, people tend to forget that something as banal as sharing a public photo of a child’s birthday party could cause a lot of harm if the photo made its way into the wrong hands. Let’s break down how much information one such post can include. At the very least, it could include:

a photo of the child, probably with a wish along the lines of “Happy 2nd birthday, John!”, details that may reveal the location, such as landmarks, other people, since it may be a group photo; this may be problematic too, as you need to be mindful of other people’s privacy, a geotag if the parent hasn’t turned off location tracking.

Piecing the information together, we have the child’s name, birth date, and address. This information could be then used, for example, for identity theft and fraud.

Stacey Steinberg, associate director for the Center on Children and Families, also touched upon the perils of sharenting in her paper, Sharenting: Children’s privacy in the age of social media. One of the examples mentioned is of a mother who posted pictures of her twins’ toilet training. She later found out that strangers accessed these pictures, downloaded and altered them, and then shared those on a website used by pedophiles.

RELATED READING: Online grooming: A threat to minors that demands our attention

This and other of Steinberg’s examples demonstrate that people are sometimes woefully unaware of how easy it is for other people to download and store images shared on social media, or of how much information they contain. Which brings us to another question – who are you sharing these photos with?

The audience of your posts depends on where and with whom you choose to share them. If your social media profile is public, then literally anyone who stumbles upon your profile can see the content. However, if you keep it private, only those you have “friended” or allowed to follow you can see it. How many of them do you really know? When was the last time you conducted an audit of your friend or follower list?

Facebook, for example, allows you to choose an audience for each of your posts, so you can restrict them to specific family members and selected friends. But that presents its own set of problems. Can you trust them not to repost it? Do you believe that they adhere to proper cybersecurity and privacy practices and have everything locked down tighter than Fort Knox? These are questions parents probably don’t really ask themselves all that often when posting something, although they should.

How to be a responsible “sharent”?

The best and safest

The Fed shares insight on how to combat synthetic identity fraud

The Federal Reserve looks at ways to counter what is thought to be the fastest-growing type of financial crime in the country

The United States’ Federal Reserve has published advice for financial institutions located in the US on how to mitigate risks of synthetic identity payments fraud. Citing an analysis by the Auriemma Group, the Fed noted that synthetic identity fraud cost US lenders around US$6 billion and was responsible for 20% of credit losses in 2016.

Scammers usually create synthetic identities by piecing together bits and pieces of real and fake information, which includes Personally Identifiable Information (PII), such as names, Social Security Numbers (SSN), and addresses. They frequently target individuals, who are less likely to check their credit information often, such as children, the elderly, or even homeless people. The upside of utilizing this method for fraudsters is that synthetic identities act like legitimate accounts, which means they evade conventional means of fraud detection.

“This affords perpetrators the time to cultivate these identities, build positive credit histories, and increase their borrowing or spending power before ‘busting out’ – the process of maxing out a line of credit with no intention to repay,” warns the Federal Reserve.

The guidance, entitled “Mitigating Synthetic Identity Fraud in the U.S. Payment System”, is the third publication in a series of white papers dedicated to synthetic payments fraud; the previous two instalments were published last year and focused on defining and identifying this type of fraud.

In its newest whitepaper, the Fed points out that institutions shouldn’t rely only on one screening method to combat what a recent McKinsey report called “the fastest-growing type of financial crime” in the US. Instead, implementing a multi-layered approach that weds manual and technological data analysis places organizations in an optimal position to identify and mitigate cases of synthetic identity-related fraud.

RELATED READING: Simple steps to protect yourself against identity theft

While looking at the basic PII, such as SSNs, names, dates of births and addresses, is a good starting point, experts say that broadening the scope to include additional data sources affords institutions the best chance of success in identifying fraudsters. Looking for common denominators, such as multiple users using the same SSN or checking for multiple accounts that were created from the same IP address, could help in identifying more cases.

It is important to point out that there is no pixie dust that’ll make synthetic identity payment fraud disappear; there are many hurdles to overcome ranging from regulations on the state level to fraudsters switching up tactics. However, specialists think that a holistic approach consisting of a consistent definition of synthetic identity fraud, technological innovation, data solutions, and cooperation between the private and government sector could be the best way to mitigate this type of fraud in an effective manner.

6 Jul 2020 – 05:08PM

Week in security with Tony Anscombe

Brute-force attacks against RDP surge – Is contact tracing the answer to ending the COVID-19 crisis? – Microsoft ships urgent security updates

ESET researchers have released data that confirms a sharp increase in brute-force attacks against Remote Desktop Protocol connections during the pandemic-induced lockdowns. Also this week, we discussed the question of whether contact tracing can stem the COVID-19 pandemic while avoiding the privacy risks of location tracking. Meanwhile, Microsoft rushes out an emergency patch to fix a pair of serious vulnerabilities in its Windows Codecs library. All this – and more – on WeLiveSecurity.com.

Discussion

Comments are closed.

Hundreds arrested after police crack encrypted chat network

European police infiltrate EncroChat, go on to crack down on crime kingpins and seize guns, drugs, cars and millions in cash

Law enforcement agencies in Europe recently cracked an instant messaging system used by organized crime before the ensuing police operation ultimately led to the arrests of more than 800 suspected criminals, mostly in the United Kingdom. The service, dubbed EncroChat, was used by 60,000 people worldwide to manage their criminal enterprises.

EncroChat’s operating system operated on specially customized Android phones that could switch between both systems. The encrypted communication platform included features such as VoIP calls and self-destructing messages that would delete themselves from the user’s device after a certain time period elapsed, as well as a panic wipe feature, which would wipe the device clean of any data after a four-digit code was entered. The service sold these devices for £900 (US$1,120) a pop with an additional £1,350 (US$1,680) charged for a six-month subscription.

According to Motherboard, the breakthrough was achieved by the French authorities, which were able to penetrate the EncroChat network and install a technical tool that allowed European law agencies to read over a hundred million encrypted messages that were being sent through the service in real-time.

Once the service realized that the jig was up and it had been compromised, it alerted its users on June 13th, telling them to ditch their devices. But apparently this warning came too late, as the law enforcement swooped to arrest hundreds of criminals in the UK, France, the Netherlands, Norway, and Sweden.

“The infiltration of this command and control communication platform for the UK’s criminal marketplace is like having an inside person in every top organized crime group in the country,” said Nikki Holland, Director of Investigations of the UK’s National Crime Agency.

In what is considered one of the UK’s most significant law enforcement operations ever, the NCA, Regional Organized Crime Units and police forces arrested 746 suspects and seized over £54 million (some US$67 million) in cash gained from illicit activities, as well as firearms, drugs, and high-end cars and luxury watches.

Meanwhile, France and the Netherlands have conducted separate operations and while France didn’t want to comment on ongoing investigations, their Dutch colleagues have arrested more than 100 suspects. “The expectation is that information will be made available in more than 300 investigations. In a number of cases, more arrests are very likely to follow in the coming period,” reads the press release by Europol, the EU’s law enforcement agency.

ESET security specialist Jake Moore, who used to work as a computer forensics examiner for the UK police, applauded what he called “a significant win against criminals”, but went on to warn that we haven’t seen the end of encrypted criminal communications. “Once a service such as EncroChat is shut down, it is quite normal to see another similar service crop up. This can be with the added benefits of an even more underground service that has learnt from its predecessor’s mistakes.”

Nevertheless, he ended his statement on a more positive note: “However, UK cyber-intelligence in the likes of GCHQ are closing the gap on criminal gangs that have had a head start, and it is likely we will start to see more good news stories on the disruption of more crime.”

3 Jul 2020 – 05:06PM

Thousands of MongoDB databases ransacked, held for ransom

The cybercriminal behind the ransom raids on almost 23,000 databases threatens to leak the data and alert GDPR regulators

An unknown cybercriminal has infiltrated 22,900 unsecured MongoDB databases, wiping their contents and leaving behind a ransom note demanding bitcoin in return for the data. If the ransom isn’t paid within two days, they threatened to notify authorities in charge of enforcing the European Union’s General Data Protection Regulation (GDPR).

According to ZDNet, which broke the story, the hacker is using automated scripts to scour the internet for MongoDB installations that face the internet with no password protection, deleting their contents, and asking for 0.015 bitcoins (some US$140) to return the data.

The cybercriminal was even “thoughtful” enough to provide a guide on how to purchase bitcoins. It seems that the bad actor is using multiple bitcoin wallets and email addresses, but the wording of the threat remains consistent. If the conditions aren’t met, they threaten to leak the data and contact GDPR regulators.

Victor Gevers, a security researcher at the GDI Foundation, pointed out that the first few attacks lacked the data-wiping feature. Once the miscreant realized the mistake in their script, they amended it and started wiping the MongoDB databases. Instances of attacks using this particular ransom note have been recorded all the way back to April of this year.

The researcher, whose responsibilities include reporting exposed servers, stated that he noticed the wiped systems while checking on MongoDB databases he was supposed to report so they could be secured. “Today, I could only report one data leak. Normally, I can do at least between 5 or 10,” he added for ZDNet.

While the demanded ransom may seem like a paltry sum, multiply it by the number of unsecured databases and it turns out that the malicious actor is trying to extort almost US$3.2 million in total. Although it’s safe to say that far from each affected entity will give in to the demands, the threat of GDPR fines may convince some to pay, since the ransom pales in comparison to the enormous fines that can be handed down by regulatory authorities.

Unsecured and misconfigured databases can hardly be considered an uncommon occurrence. In one notable example, ethical hackers left “friendly warnings” in exposed Amazon S3 cloud storage databases.

Attacks that involve infiltrating and holding cloud databases for ransom have been around since at least 2016. If you’re a MongoDB database administrator who’d rather avoid dealing with such extortion attempts, you might want to check out this MongoDB security manual or thumb through our five general tips for keeping your databases secure.

2 Jul 2020 – 04:43PM

Microsoft releases emergency update to fix two serious Windows flaws

The out-of-band update plugs two remote code execution bugs in the Windows Codecs library, including one rated as critical

Microsoft on Tuesday released emergency security patches to plug a pair of serious vulnerabilities in its Windows Codecs library that impact several Windows 10 and Windows Server versions. Indexed as CVE-2020-1425 and CVE-2020-1457, the two remote-code execution (RCE) flaws are rated as ‘critical’ and ‘important’ in severity, respectively.

Both security loopholes have to do with how Microsoft Windows Codecs Library handles objects in memory. An attacker who can exploit CVE-2020-1425 “could obtain information to further compromise the user’s system”, said Microsoft. Successful exploitation of the second flaw, meanwhile, could enable attackers to execute arbitrary code on the targeted machine. Each flaw was given the “exploitation less likely” rating on Microsoft’s Exploitability Index.

Details are very sparse and there’s no word on specific attack vectors, but Microsoft said that exploitation of either vulnerability “requires that a program process a specially crafted image file”. This could, for example, involve luring the target into downloading and opening a malicious image file shared via email or a compromised website.

RELATED READING: Vulnerabilities, exploits and patches

The updates are being deployed automatically via Microsoft Store, rather than through the far more usual Windows Update process. “Affected customers will be automatically updated by Microsoft Store. Customers do not need to take any action to receive the update,” said Microsoft.

In order to check if the updates have been implemented or to expedite the process, Microsoft provides this guidance. The company is not aware of any mitigations or workarounds for the two vulnerabilities.

1 Jul 2020 – 02:06PM

COVID‑19 contact tracing – technology panacea or privacy nightmare?

Can a technological intervention stem the pandemic while avoiding the privacy pitfalls of location tracking?

The UK Government recently announced that it was ceasing development of its current contact-tracing app; on the same day, the Canadian Government stated that it was developing one. All this in the same week that the Norwegian health authority had to delete all data gathered via its contact-tracing app and suspended further use due to a ruling by the Norwegian Data Protection Authority. And if these examples are not enough to demonstrate the utter confusion, the Australian app is reported to have a bug that stops iPhones from reporting possible close contacts.

It’s clear that there is no single or quick solution that is going to resolve the individual needs of the world’s health and government agencies that are attempting to use technology to assist in reducing the infection rates of COVID-19.

According to Wikipedia, more than 30 countries have, or are planning to release, apps designed to contact trace or geo fence their users, for the purposes of limiting and managing the spread of COVID-19. The development cycle and distribution of these time-sensitive solutions is itself unprecedented. Ask the members of any app development team if they could develop an app and the infrastructure to support 100 million or more users in under three months and they would say no – and that’s after they stop laughing at the suggestion.

Coming to a phone near you

The concept of contact tracing is to inform people that they may have come into contact with another person who has contracted or is showing symptoms of an infectious ailment, in this case COVID-19. The recipient of the notification can then take precautionary measures, such as self-isolation. This has proven a successful tool to assist in eradicating other diseases such as smallpox and has been used to control others such as tuberculosis, measles and HIV. With large portions of the world population now carrying a smartphone, technology should be able to play an important role, which is why we are seeing a surge in the development of contact-tracing apps.

The majority of apps available are government sponsored and use a variety of different methods to fulfill their purpose, such as Bluetooth vs. GPS, centralized vs. decentralized, and not all are sensitive to maintaining the privacy of the user.

There are two main methods being used to glean the physical proximity of users. The first is the global positioning system (GPS): this uses satellite-based radio-navigation to approximate the individual’s location and the location of other app users. The second, more prominent, solution uses Bluetooth and signal strength to identify other app users’ proximity, allowing the devices to exchange handshakes rather than track actual location. There are some solutions that use a mix of both Bluetooth and GPS and some even use network-based location tracking, but these methods have significant location-tracking privacy issues and are fortunately limited to only a few developments. The primary technology in use by COVID-19 contact-tracing apps is Bluetooth, as it provides a higher level of privacy protection.

RELATED READING: Public health vs. personal privacy: Choose only one?

There is an underlying issue though: Bluetooth discovery is not enabled while a phone is locked and the app requesting it is not primary. Until now there has been no reason for this to be enabled. Early versions of apps such as BlueTrace, the Singapore government’s solution, relied on its users keeping their phones unlocked. The UK NHS beta app had a unique solution to this, at least for Android, but it would appear the limits implemented by Apple in iOS have meant that this was unachievable and has required developers to work with the official Apple and Google Exposure Notifications API.

The joint Google and Apple solution, Exposure Notifications API, preserves privacy and provides a method of using Bluetooth Low Energy and cryptography to provide a contact-tracing infrastructure. Use of the API is limited to public health authorities and access is only granted when specific criteria around privacy, security and data are met. However, this API is only part of a solution that an app needs to deliver the functionality needed. If an app requests personal information, either directly or by other methods, it could render this privacy-friendly solution questionable. The perception of a potential user of a contact-tracing app using this solution may be that the app, due the Google and Apple solution, has been developed to preserve the privacy of the individual; this could give a false sense of security.

There is also speculation that the use of the Exposure Notification API and Bluetooth for proximity and distance measuring in iOS may not be accurate; this was alluded to by the UK Government when  announcing the cessation of the development of its own solution. Some of the potential issues are detailed in an article published by MIT Technology Review: it claims that if a phone is standing up in your pocket in portrait rather than landscape, then this alone can adjust the received power and make it look like someone is across the room as opposed to being next to you. The research also mentions the issue of signals passing through bodies – for example, if two people are standing back to back, the signal may appear weak, and thus record an incorrect distance. The UK Government claims to have developed algorithms that alleviate some of these issues; let’s hope the tech giants at Apple are willing to at least explore the potential solution the NHS team claims to have.

Google and Apple’s solution joins eight other frameworks that have been created since the beginning of the pandemic. The frameworks have been created in parallel by a mix of technology companies, privacy organizations, academia and governments. If the world adopted one framework there would of course be standardization, but this also adds a single point of failure if the framework is compromised or fails to deliver the expected results. As frameworks have evolved,

Remote access at risk: Pandemic pulls more cyber‑crooks into the brute‑forcing game

Poorly secured remote access attracts mostly ransomware gangs, but can provide access to coin miners and backdoors too

The COVID-19 pandemic has radically changed the nature of everyday work, forcing employees to do large parts of their jobs via remote access. Cybercriminals – especially ransomware operators – are aware of the shift and attempt to exploit the new opportunities and increase their illicit earnings. ESET telemetry confirms this trend in an uptick in the number of unique clients who reported brute-force attack attempts blocked via ESET’s network attack detection technology.

Before the lockdown, most employees worked from the office and used infrastructure monitored and controlled by their IT department. But the coronavirus pandemic has brought a major shift to the status quo. Today, a huge proportion of “office” work occurs via home devices with workers accessing sensitive company systems through Windows’ Remote Desktop Protocol (RDP) – a proprietary solution created by Microsoft to allow connecting to the corporate network from remote computers.

Despite the increasing importance of RDP (as well as other remote access services), organizations often neglect its settings and protection. Employees use easy-to-guess passwords and with no additional layers of authentication or protection, there is little that can stop cybercriminals from compromising an organization’s systems.

That is probably also the reason why RDP has become such a popular attack vector in the past few years, especially among ransomware gangs. These cybercriminals typically brute-force their way into a poorly secured network, elevate their rights to admin level, disable or uninstall security solutions and then run ransomware to encrypt crucial company data.

The growing number of unique clients who have reported an RDP attack attempt is visible in data gathered by ESET telemetry (see Figure 1).

Figure 1. Trend of RDP attack attempts against unique clients (per day), detected by ESET technologies

Brute-force attack protection

To address the growing risks posed by increasing RDP use, ESET researchers have devised a new detection layer that is hidden under the hood of ESET Network Attack Protection and is designed to block incoming brute-force attacks from external IP addresses, covering RDP as well as SMB protocols.

Called ESET Brute-Force Attack Protection, this new layer detects groups of failed login attempts from external environments, which hint at an incoming brute-force attack, and then blocks further attempts. Subsequently, the biggest offenders among these IP addresses are added to a blacklist, which protects millions of devices from future attacks.

The new technology has proven to be effective against both random and targeted attacks. For it to work properly, the RDP option Network Level Authentication (NLA) on server must be enabled.

According to ESET telemetry, most of the blocked IPs in January–May 2020 were seen in the United States, China, Russia, Germany and France (see Figure 2).

Figure 2. Countries with the largest number of all blocked IP addresses (between Jan 1 and May 31, 2020).

Countries that had the largest proportion of targeted IPs were Russia, Germany, Japan, Brazil and Hungary (see Figure 3).

Figure 3. Countries with the most brute-force attacks reported by ESET telemetry (between Jan 1 and May 31, 2020).

How to configure remote access correctly

Yet, even with protective measures such as ESET Brute-Force Attack Protection, organizations need to keep their remote access properly configured:

  • Disable internet-facing RDP. If that is not possible, minimize the number of users allowed to connect directly to the organization’s servers over the internet.
  • Require strong and complex passwords for all accounts that can be logged into via RDP.
  • Use an additional layer of authentication (MFA/2FA).
  • Install a virtual private network (VPN) gateway to broker all RDP connections from outside your local network.
  • At the perimeter firewall, disallow external connections to local machines on port 3389 (TCP/UDP) or any other RDP port.
  • Protect your endpoint security software from tampering or uninstallation by password-protecting its settings.
  • Isolate any insecure or outdated computers that need to be accessed from the internet using RDP and replace them as soon as possible.
  • For a detailed description of how to set up your RDP connection correctly, please refer to this article by ESET Distinguished Researcher Aryeh Goretsky.
  • Most of these best practices apply to FTP, SMB, SSH, SQL, TeamViewer, VNC and other services as well.

Ransomware, coin miners and backdoors

Encryption of data and subsequent extortion is in no way the only scenario that could follow an RDP compromise. Frequently the attackers try to install coin-mining malware or create a backdoor, which can be used in case their unauthorized RDP access has been identified and closed.

Other common scenarios following an RDP compromise can include:

  • clearing of log files, thus removing the evidence of previous malicious activity,
  • downloading and running the attacker’s choice of tools and malware on the compromised system,
  • disabling of scheduled backups and shadow copies or completely erasing them, or
  • exfiltrating data from the server.

Black hats have been trying to exploit RDP for years, as documented by our blogpost from 2013. Steadily growing numbers of RDP attacks over the past few years have become the subject of numerous governmental advisories including the FBI, the UK’s NCSC and Australia’s ACSC.

This only demonstrates how crucial the security of remote access has become, potentially making or breaking a company’s future. And even if the damage to an organization’s reputation can be managed, there are financial losses, stalled operations and expensive recovery efforts that need to be accounted for. This doesn’t consider the additional costs of potential penalties that can be issued by authorities under data-protective legislation such as GDPR (EU), CCPA (California) or NDB (Australia).

Whether or not there’s a pandemic, businesses should manage the risks posed by wide usage of RDP or other similar services by reinforcing their passwords and by adding other protective layers, including multi-factor authentication and a security solution that defends against attacks based on RDP and similar protocols.

29 Jun 2020 – 11:30AM

Week in security with Tony Anscombe

Android ransomware posing as a COVID-19 tracing app – Ill-trained and ill-equipped newly-minted remote workers – How Bitcoin giveaway scams misuse Elon Musk’s name

This week, ESET researchers published their findings about Android ransomware spreading under the guise of an official COVID-19 contact-tracing app developed by Health Canada. A study by IBM shows that many newly-minted remote employees use their personal laptops for work and lack security training or tools to properly secure the devices. Scammers now include the name of Tesla and SpaceX CEO Elon Musk in Bitcoin addresses in order to give their schemes extra credibility. For more information, go to WeLiveSecurity.com.