Ransomware groups take advantage of all sorts of different vulnerabilities. Yet there are many ways to ensure better security. Limiting the use of remote desktop sessions is one of them, again according to a recent report from the FBI and others.
The group of American and Australian investigators took a close look at the practices of the BianLian ransomware collective. What is striking is that this party has now dispensed with the commonly used encryption on sensitive data. An affected organization therefore need not worry that their data will be inaccessible specifically, government experts believe. However, BianLian is focused on targeting the threat of leaking highly sensitive data. Their targets are predominantly U.S. organizations within “critical infrastructure sectors.” Examples include energy companies, financial services or health care. These parties are susceptible to the usual threat tactics of ransomware groups in part because they have strict legislation to comply with. Data leakage can have immense consequences.
The flexibility of remote desktop
Exploiting remote desktop use is the main reason the BianLian group has been able to operate. The use of this remote access method is quite easy to understand. Namely, it is a quick and widely deployable way to remotely control a workstation with a much less powerful laptop. In addition, it allows a system administrator to remotely tinker with the settings on a separate computer. In effect, one operates a machine as if it’s in the room, with Internet speed as one of the few limitations. Remote desktops are secured in many different ways, but in quite a few cases their security is too easy to unpick. Incidentally, there is a gradation here. Those who are meticulous about privileges in remote desktop sessions and consult the security options of parties such as TeamViewer and AnyDesk can at least better protect themselves from the worst consequences of cybercrime.
BianLian gains access to victims’ systems by obtaining valid Remote Desktop Protocol (RDP) login credentials. These can mostly be purchased from IABs: Initial Access Brokers. Recently, authorities managed to hook a big fish in the IAB ocean: Genesis Market, which made off with digital fingerprints and sold them for others to abuse. Incidentally, BianLian also managed to obtain login data with phishing emails, a threat as old as the modern Internet itself.
Subsequently, the group was able to use custom backdoors to install remote management software, such as TeamViewer or AnyDesk. With the help of Windows tools, the group mapped the infiltrated network. The flexibility of RDP allowed the cybercriminals to move laterally through a network with far fewer intermediate steps than they otherwise would have needed. In short, the user-friendliness of remote desktop allowed for effective and agile criminal behavior. The group was able to access sensitive data through these means.
Opinion
The FBI, the CISA and the Australian ACSC suggest restricting remote access as much as possible. The danger of remote desktop mostly lies in a careless implementation of it. For example, the three parties recommend using a remote access solution only within a private network. After all, as an organization, you avoid being directly susceptible to a cyber-attack by restricting the connection to the outside as much as possible. However, this is a dangerous way of thinking: if you are or have been unknowingly vulnerable after all, a backdoor may have been installed, for example. Criminals can then take advantage of an unpatched vulnerability that is not directly connected to the Internet. In other words, patch all software you have in-house, even if it is not exposed to the outside world.
If you do need to use remote desktop, the report offers some advice. These include closing unused RDP ports. In addition, setting up MFA (multi-factor authentication) is important. Ultimately, there is a logical alternative for many instances in which you might want to use remote desktop, but based on zero trust principles. This means that all users must be authenticated on a continuous basis, i.e. without any continuous trust in particular accounts or devices. The credo is “never trust, always verify.” In effect, this means that admins and other accounts can only perform what is strictly necessary at the time.
Ultimately, the operation of a party like the BianLian ransomware group depends on security loopholes that are often easily preventable. The deployment of remote desktop sessions is never without risks. For that reason, as an organization, it is best to use this connection method as little as possible, no matter how user-friendly it is.
Tip: Zero trust in complex environments: how to ensure secure access to apps?
45 minutes ago
