Backoff Malware – Time to Step up Remote Access Security

by |

Another day, another security breach. Today, it’s a number of breaches that may or may not tie together, but all seem to have one thing in common: poor remote access security.

Most notably, the US Department of Homeland Security has issued an advisory regarding the “Backoff Point-of-Sale Malware,” which has been associated with several PoS data breach investigations. The advisory states:

“Recent investigations revealed that malicious actors are using publicly available tools to locate businesses that use remote desktop applications. Remote desktop solutions like Microsoft's Remote Desktop, Apple Remote Desktop, Chrome Remote Desktop, Splashtop 2, Pulseway, and LogMEIn Join.Me offer the convenience and efficiency of connecting to a computer from a remote location. Once these applications are located, the suspects attempted to brute force the login feature of the remote desktop solution. After gaining access to what was often administrator or privileged access accounts, the suspects were then able to deploy the point-of-sale (PoS) malware and subsequently exfiltrate consumer payment data via an encrypted POST request.”

and

“Similar attacks have been noted in previous PoS malware campaigns and some studies state that targeting the Remote Desktop Protocol with brute force attacks is on the rise.”

In addition to this advisory, The Delaware Restaurant Association notified its 1,900 member restaurants about a possible breach of consumer payment card data which, “appears to be linked to LogMeIn, a remote access and systems management provider that facilitates, among other things, file sharing and data backup.” And Krebs on Security is reporting that the Jimmy John’s sandwich chain is investigating breach claims.

While some of these remote desktop access connections exist for employees to access their work computer from home, others are set up so IT administrators, outsourcers and vendors can remotely manage and support desktops and other systems. It’s especially critical that these connections are secure as they typically include admin-level permissions that hackers can exploit. But even if an end-user is simply using a tool like RDP to access a single desktop, their credentials can be used to install malware on that system. Once that individual PC is compromised, hackers can use it as a launching point to attempt to access more critical systems.

In its advisory, the Department of Homeland Security provides a number of guidelines for improving remote access security, including:

  • Configure the account lockout settings to lock a user account after a period of time or a specified number of failed login attempts. This prevents unlimited unauthorized attempts to login whether from an unauthorized user or via automated attack types like brute force.
  • Limit the number of users and workstation who can log in using Remote Desktop.
  • Use firewalls (both software and hardware where available) to restrict access to remote desktop listening ports (default is TCP 3389).
  • Change the default Remote Desktop listening port.
  • Define complex password parameters. Configuring an expiration time and password length and complexity can decrease the amount of time in which a successful attack can occur.
  • Require two-factor authentication (2FA) for remote desktop access.
  • Install a Remote Desktop Gateway to restrict access.
  • Add an extra layer of authentication and encryption by tunneling your Remote Desktop through IPSec, SSH or SSL.
  • Require 2FA when accessing payment processing networks. Even if a virtual private network is used, it is important that 2FA is implemented to help mitigate keylogger or credential dumping attacks.
  • Limit administrative privileges for users and applications.
  • Periodically review systems (local and domain controllers) for unknown and dormant users.

For those using remote access for technical support, we believe you can take security even further with a few additional recommendations.

  • Consolidate remote access tools so you can centrally manage and monitor all insider and external remote access.
  • Once you implement a central remote access solution, there is no longer a need for open listening ports, such as TCP 3389. Instead of only restricting access, as Homeland Security suggests, you can block broad access to 3389 and completely shut that door for hackers.
  • Two-factor authentication is a must. But beyond that, ensure that each individual is using unique login credentials. Often IT teams or vendors share logins to save money on licenses, but this undermines 2FA and makes it impossible to audit who is doing what on your systems.
  • In addition to limiting admin privileges for users and applications, consider restricting when and from where users can remotely access your systems. For example, an IT outsourcer can access your systems from his computer on his company network, but not from his iPad at home.
  • Reviewing your systems for unknown and dormant users is good, but even better is to set up alerts for unexpected activity, such as a vendor logging in overnight or on a weekend. By capturing a full audit trail of all remote access activity, you can set up a warning system to alert you to unauthorized access before the damage is done.

For more details, check out these Five Steps for Securing Third-Party Vendor Access.

Security has many layers, and no one solution is going to fully protect you from a data breach. But if you can lock down the initial entry pathway just a bit more, you can significantly up your chances of keeping hackers out and your sensitive data in.  

UPDATE 8/1/14: We'll be hosting a webinar to discuss this topic in further detail on Wednesday, August 6 at 3:00 pm ET. Register here to learn more about how to implement remote support security best practices. And if you have any specific questions you'd like me to address, please put them in the comments below.