Remote Access: Open Ports Create Targets of Opportunity, Undue Risk

TLP: WHITE 

Summary

The NJCCIC assesses with high confidence that organizations with insecure remote access configurations, including remote desktop protocol (RDP), Telnet, and SSH ports, on internet-facing servers are at an increased risk of network compromise, potentially resulting in data theft or network-wide ransomware infections. 

Since late 2016, the NJCCIC has observed a substantial increase in cyber incidents and threat intelligence reports involving the exploitation of enabled ports commonly used for remote access as the point of entry for ransomware attacks and other network intrusion activities. Using Shodan, a publicly available search engine for the “Internet of Things,” hackers can easily locate servers, systems, and devices with exposed remote access ports. After a target is identified, a malicious actor can use various tactics to reveal account login credentials or use brute force methods to gain entry into the network. Once inside, an intruder can map the network and identify the most sensitive systems from which they can steal data or otherwise exploit. They may install other types of malware designed to log keystrokes, create backdoors for later use, or steal system resources to mine cryptocurrency for personal profit. The exploitation of remote access ports can also be used to deploy ransomware on a centralized server that can propagate through a network and infect as many computers as possible, which can severely disrupt an organization’s operations until the affected data and systems are restored.

• At the time of writing, a search using Shodan revealed over 10,000 exposed IP addresses within New Jersey with TCP/UDP port 3389 (RDP) enabled, nearly 5,000 exposed IP addresses with TCP port 23 (Telnet) enabled, and over 184,000 with TCP/UDP port 22 (SSH) enabled. The query also revealed that some systems with exposed remote access ports are also running outdated and vulnerable operating systems such as Windows XP and Linux Kernel 2.X or 3.X. Known vulnerabilities within software coupled with poorly secured remote access configurations could allow a remote threat actor to steal data, implant malware, or simply gain unauthorized access to a network.
• In April 2017, the intelligence firm Flashpoint reported that a dark web marketplace was advertising access to over 85,000 hacked RDP servers for sale or rent. Their analysis revealed that most of the compromised systems reside in the United States and belong to organizations in the education, healthcare, legal, aviation, and government sectors.
• On August 9, the cybersecurity firm Rapid 7 released a report highlighting the security risks associated with the exposure of RDP on endpoints running Windows OS. Their researchers discovered TCP port 3389 open on 11 million endpoints worldwide and, of those, 4.1 million were configured to accept a remote desktop connection. Over 1.1 million of these vulnerable devices are located within the United States.   
• The NJCCIC’s Ransomware Threat Profile includes numerous variants that use RDP access as a vector, including Amnesia, BTCWare, CrySiS, PSCrypt, and Sorebrect, among others. In March, we reported an increase in CrySiS infections using RDP compromise to target victims in New Jersey, which we continue to observe as of this week.

Recommendations

The NJCICC recommends all organizations audit their networks to identify servers and devices with ports 22 (SSH), 23 (Telnet), and 3389 (RDP) enabled. Once identified, immediately close port 23 on all systems as well as any unneeded SSH and RDP ports. If the availability of remote access is required, the NJCCIC recommends that organizations implement IPsec or SSL VPNs. Additionally, replace any default or weak login credentials with passwords that are both long and complex, and implement a two-factor authentication solution to harden networks against brute-force attacks.

• Consider blocking IP addresses after a set number of failed login attempts.
• For applications or databases with sensitive data, implement whitelisting to allow only authorized static IP addresses.
• To avoid data theft, encrypt all sensitive data both in transit and at rest and be sure to implement a robust data backup and restoration plan to mitigate the risk of data loss resulting from a ransomware infection or other catastrophic event.
• Backups should be scheduled as frequently as possible, tested regularly, and stored off the network in a separate and secure location.

Traffic Light Protocol: WHITE information may be distributed without restriction.