The Department of Homeland Security (DHS), National Cybersecurity and Communications Integration Center (NCCIC), and the Federal Bureau of Investigation (FBI) are issuing a national cybersecurity activity alert regarding the infamous SamSam ransomware that took down Atlanta and other large institutions.
According to the alert, threat actors exploit Windows servers to gain persistent access to a victim’s network and infect all reachable hosts. Since mid-2016, FBI analyses of victim’s machines indicates that cyber actors use Remote Desktop Protocol (RDP) to gain persistent access to victim’s networks. Typically, actors either use brute force attacks or stolen login credentials.
Detecting RDP intrusions can be challenging because the malware enters through an approved access point. After gaining access, SamSam actors will:
- Escalate privileges for administrator rights
- Drop malware onto the server
- Run an executable file—all without victim’s action or authorization
RDP allows cyber actors to infect victims with minimal detection.
DHS and FBI recommend that users and admins follow best practices to strengthen the security posture of their organization’s systems. Please consider the following:
- Audit your network for systems that use RDP for remote communication. Disable the service if unneeded or install available patches. Work with your technology vendor to confirm that patches will not affect system processes.
- Verify that all cloud-based virtual machine instances with public IPs have no open RDP ports, especially post 3389, unless there is a valid business reason to keep open RDP ports. Place any system with an open RDP port behind a firewall and require users to use a virtual private network (VPN) to access.
- Enable strong passwords and account lockout policies to defend against brute force attacks
- Apply two-factor authentications where possible.
- Regularly apply system and software updates
- Disable file and printer sharing services. If required, use strong passwords or Active Directory authentication.
For more information on the risk printers and fax machines pose to your network, check out the Onepath blog.