On Saturday, Feb 16th, 2019, ‘De Standaard’ reports on the investigation for the (Belgian) Federal Department of Justice. Together with the US and Ukraine, they closed down “xDedic”, a website selling logins and passwords of compromised servers around the world. Until 2016, the website was publicly available. When it started to get attention from different criminal investigations, they moved to the Darknet.
Results tie up with Awingu’s own research
The criminal investigation – unfortunately – aligns perfectly with a study published by Awingu on September 17, 2018. In the study, Awingu identified 8803 Belgian businesses with ‘unprotected RDP ports’. And this is exactly what hackers behind xDedic used to snatch users logins and passwords, and from there enter the company IT network, compromising servers.
Those compromised servers where used to for ransomware attacks (where hackers block the owners from accessing their data and applications, unless they pay a ‘ransom’ fee), credit card fraud or as a ‘hub’ for other illegal activities (e.g. using the compromised server to hack into other businesses without easily exposing the location of the hacker).
The criminal investigation states it could find login credential for 230 to 750 Belgian servers, depending on the time. “It’s safe to assume these 230-750 servers are at least in part a subset of the 8803 businesses Awingu could identify,” says Arnaud Marière, CMO Awingu. “And this is not just a Belgian problem, nor is it a problem of the past. Businesses around the world are not securing their ‘RDP (Remote Desktop Protocol) accesses’.”
In fact, Awingu has done similar studies for ‘open RDP’ post in Sweden and Italy, finding respectively 9688 and 33629 “exposed” business. And while xDedic is now closed, others will rise and have probably already done so.
So, is RDP unsafe?
The Remote Desktop Protocol (RDP) was originally developed by Microsoft to be used primarily on an internal company network. Making your environment directly available via the internet may be possible, but it is advised to take at least several security measurements beforehand. You can find several methods to protect your environment on the web that, although they’re sometimes outdated, are very relevant and necessary to ensure a minimum level of security.
The closing of xDedic again proves that leaving your RDP environment without protection is brings forth considerable risks: ‘Since 2002, 20 Microsoft security updates have been released specifically for RDP, and people now know of at least 25 vulnerabilities (CVEs) that malicious parties can exploit without much effort. With that in mind, you must be crazy not to add an extra layer of security to your environment’, Kurt Bonne (CTO Awingu) says.
In the more recent RDP versions, Microsoft paid great attention to the safety aspect, not only by adding more possibilities but also by offering more intelligent default settings. You would, therefore, think that it is a ‘no-brainer’ to at least upgrade your RDP environment to the latest version, but often older applications are not always compatible, and the older versions are kept out of necessity.
How Awingu can easily help secure your existing RDP deployment
Awingu’s browser-based workspace adds layers of security on top of RDP. When using it, you connect to the application or desktop via a browser – and no longer via an RDP client. This means that people with bad intentions can no longer exploit the weak points of an unprotected RDP access. To maximize protection through browser access, Awingu implements the following security measures:
• Multi-factor authentication: Awingu comes with a built-in MFA solution, and can (if necessary) easily integrate your current method of authentication. By adding MFA you ensure that the ‘brute force attacks’ are no longer possible.
• SSL without hassle: use your own certificates or switch SSL via the built-in Let’s Encrypt integration with just a single mouse click.
• Extensive audit possibilities: keep your existing RDP logging tools running alongside the included Awingu audit capabilities
• Anomaly detection: get informed about irregularities in your environment, such as someone who logs in too often with a wrong password or when someone tries to log in from abroad
For more info, also read this 2017 blog post written in the midst of the Wannacry outburst, which explains how Awingu adds layers of security on top of RDP.