Cybersecurity Threat Advisory: Leaked Windows RDP Credentials
Posted on April 26, 2021 by Mike Beagles
Posted by Mike Beagles
As part of our effort to inform our clients about potential and serious cybersecurity issues, MCP provides advisories about vulnerabilities and exploits that could threaten the operations of their critical communications networks. Sign up to receive these advisories in your inbox as soon as they are released.
This week there is a new critical alert that requires the mission-critical community’s immediate attention.
Advisory overview
Hacker group UAS recently had 1.3 million Remote Desktop Protocol (RDP) credentials, i.e., usernames and passwords, for Windows servers leaked by security researchers. The compromised credentials could allow a cyberattacker to log into a compromised RDP server. It is imperative to apply best security practices when handling Windows RDP servers, to prevent cyberattackers from accessing confidential information and granting more insight into a network. Such practices include a strong password policy and ensuring that RDP in not open to the internet.
What is the threat?
The affected servers affected would be exposed to cyberattackers logging in with these compromised credentials. Logging in via RDP is an easy way for an attacker to access confidential information stored within the internal network, pivot within the network, and possibly perform other malicious tasks. The Federal Bureau Of Investigation (FBI) has reported that RDP is responsible for 70-80 percent of all network breaches.
Why is this noteworthy?
This threat is especially noteworthy due to the high risk that derives from compromised credentials. Once logged into the network, a cyberattacker can deploy various methods to maintain persistence or cause havoc within the network. The security researchers had access to the database for more than three years and shared it with Vitali Kremez, who in turn launched a service called RDPwned, which enables companies and their administrative staffs to determine whether their servers are listed in the database. It is absolutely imperative to ensure that RDP servers are protected—strong password policies are one of the best ways to prevent breaches like this from occurring.
What is the exposure?
Once an attacker has been granted access to the network via compromised RDP credentials, the attacker can perform various malicious activities. Maintaining persistence to gather more confidential information may be some attackers’ goals, but others may want to wreak havoc and destroy business operations. For example, cyberattackers could deploy ransomware within the network or destroy important data that is critical to business functions. Others could use their access to the network to steal credit card information or create backdoors for other attackers to access.
What are the recommendations?
- Develop a strong password policy that includes the following best practices, at a minimum:
- Ensure that passwords are 8-14 characters in length, at a minimum, and include alphanumeric characters and symbols
- Create a policy that calls for passwords to expire after 30-90 days
- Create a password history going back five passwords, so that users cannot change their password to a previously used password
- Identify a time limit before users can change their password, so that they cannot circumvent the password history
- Prevent password sharing to ensure that they are secret and known only to the user
- Implement two-factor authentication on RDP servers
- Ensure that RDP servers are behind a firewall and are not open to the internet, to prevent external cyberattackers from trying to penetrate them
- Determine whether your RDP server has had its credentials compromised, using the RDPwned solution
For more in-depth information about the recommendations, please visit the following links:
Topics: Cybersecurity, IT and Network Support