[BreachExchange] xDedic: What to Do If Your RDP Server Was Pwned

Inga Goddijn inga at riskbasedsecurity.com
Tue Jun 28 16:59:27 EDT 2016 

http://www.databreachtoday.com/xdedic-what-to-do-if-your-rdp-server-was-pwned-a-9228

As many as 250,000 credentials for Remote Desktop Protocol servers around
the world may have been offered for sale on the now-shuttered xDedic
<http://www.inforisktoday.in/compromised-rdp-server-tally-from-xdedic-may-be-higher-a-9218>
cybercrime marketplace. If an organization suspects credentials to servers
may have been traded by cybercriminals, what can they do to mitigate
related risks and avoid a major network intrusion?

Security experts advise information security professionals to take several
important steps that go far beyond simply changing credentials. For
example, it's urgent that they scan all public listed IPs for any open RDP
or SSH ports and block them, in addition to carefully monitoring for
unusual behavior on their networks.

Kaspersky Lab
<https://securelist.com/blog/research/75027/xdedic-the-shady-world-of-hacked-servers-for-sale/>
described the credential exposure in a June 15 blog. In a followup June 20
blog
<https://securelist.com/blog/research/75120/the-tip-of-the-iceberg-an-unexpected-turn-in-the-xdedic-story/>,
the security firm explained why the amount of credentials exposed could be
higher than originally estimated (see: *Compromised RDP Server Tally From
xDedic May Be Higher*
<http://www.inforisktoday.in/compromised-rdp-server-tally-from-xdedic-may-be-higher-a-9218>
).

Kaspersky is advising organizations to check with their local CERT for
information on whether their credentials were exposed on xDedic.

Even though the xDedic marketplace has been shut down, many criminals could
still have access to the credentials that were offered for sale for as
little as $6 each, says Vitaly Kamluk, Kaspersky Lab's principal security
researcher for APAC. And that means thousands of organizations could be
vulnerable to hacker attacks.
Implications of Stolen Credentials

If attackers have access to an RDP server credential, they could try to use
it to quickly establish a foothold in the network and compromise additional
servers, establishing a "beachhead" before these credentials get revoked.

Even if credentials for just one server from an organization were listed on
xDedic, it's likely that nearly every server in that organization's DMZ
network could be compromised by hackers using those credentials, says K.K.
Mookhey
<http://www.inforisktoday.in/interviews/mookhey-on-indian-infosec-trends-i-2896>,
founder and principal consultant at NII Consulting in India. That's because
in typical setups, security controls exist between network segments and not
within each segment.

Deeper penetration is also likely where the DMZ barrier can be crossed
through the traffic allowed between the DMZ and the internal server
segment, Mookhey says. "There is really no practical purpose to allow an
RDP port to be accessible on a public IP address, and my first step would
be to scan for and close public facing RDP & SSH ports," he says.

Sahir Hidayatullah, CEO of the Mumbai-based security firm Smokescreen, says
such lateral movement is indeed, a major concern. "The attackers will move
laterally off the compromised system extremely quickly and try to establish
multiple command-and-control channels as they know they will likely lose
the initial access," he says.

Detecting this lateral movement is difficult if the attackers don't move
between network segments because the IDS/IPS
<http://www.inforisktoday.in/network-perimeter-c-213> sensors that are
located between segments won't get triggered, Hidayatullah explains.

Attackers also may make attempts to escalate privileges, which means any
other accounts that logged into the system should also be considered at
risk, he adds.

Even worse, just de-authorizing the compromised credentials or cutting off
access could signal to the attackers that they've been discovered. Then
they might attempt to operate in stealth mode, making them harder to
detect. Or they might even avoid the environment for a time, returning
after the security team believes the breach has been resolved, Hidayatullah
says.

In the meantime, the attackers may try to sniff out other credentials that
will enable them to return via a legitimate channel and ditch the RDP route
altogether - VPN for instance - and the organization then has very little
hope of pin pointing them, Hidayatullah says.

RDP & SSH brute force attacks have been prevalent for the last 18 months,
largely due to poor passwords and failure to restrict RDP services, says
Shomiron Das Gupta, founder at Indian security services firm Netmonastery.
Such attacks can permit the intruders to install backdoors and complete
code drops for APT-style attacks, he says.
Remediating RDP-driven Compromises

Experts say organizations can take several steps to remediate the risk
stemming from stolen RDP credentials. In addition to closing RDP and SSH
ports, organizations should:

   - *Monitor for unusual behavior.* Attacker movement can be difficult to
   pinpoint, even with the right tools. Look for unusual behavior and strange
   access patterns - out of office hours use, for instance, Hidayatullah
   advises. Also, look for newly created accounts on other systems on the same
   network segment and any other areas the attackers may have accessed
(see: *Role
   Based Behavior Analytics - Patterns and Anomalies in User Behavior as
   Indicators of Attack*
   <http://www.inforisktoday.in/webinars/role-based-behavior-analytics-patterns-anomalies-in-user-behavior-as-w-915>
   ).
   - *Mandate two-factor authentication.* Remote access should be via VPN
   and require two-factor authentication
   <http://www.inforisktoday.in/authentication-c-206>. If organizations
   complying with PCI DSS, this is mandatory in any case, Mookhey notes.
   - *Adopt strong password policies.* Monitor for weak passwords and
   password reuse. This is one of the major causes for these kinds of attacks
   today, Das Gupta says.
   - *Implement privileged ID management.*This can help prevent one server
   compromise from leading to other compromises through the shared
   administrator/root account credentials.
   - *Use deception and decoys.* Deception technology and commercial
   honeypot systems are effective in picking up intruders' activities,
   Hidayatullah says. "The attacker hits the decoy systems both during the
   brute force process and in the lateral movement phase. Deploying decoys in
   DMZ networks have shown so much value that it's pretty much the first thing
   we recommend now," he says. Decoy credentials, which can be left on systems
   around the network to be discovered by attackers, are also helpful. "This
   way, when an attacker compromises a system and then tries to escalate
   privileges, they encounter the decoy credentials that trigger when used,"
   Hidayatullah explains.

Pinpointing attacker movement in the initial phases of such attacks is
essential, and honeypots and other sensors are becoming an increasingly
valuable source of intel, experts says. Mookhey also recommends the use of
open-source big data setups such as ELK <https://www.elastic.co/products>
(Elasticsearch, Logstash, Kibana) to visualize and analyze raw data and
mine it for security intelligence. And he suggests that organizations run
red team attacks on their environments at least annually to help determine
if they can detect when a privileged ID is being misused.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160628/1ed5347f/attachment.html>

More information about the BreachExchange mailing list