One game we like to play while taking in the sights and sounds of interstate driving is the old
classic: “What am I?” It’s is a simple game to play: A family member simply thinks of a household item, or an animal, fruit or vegetable, and the other members try to guess what they “are” by asking a series of Yes or No questions. My kids also own the “official” board game style version of this game called HedBanz. The only twist or alteration to its rules is that each player will wear a headband on their forehead that contains a card, displaying an animal, tool, food that they themselves must guess by asking similar Yes or No questions about themselves. The first player to guess his or her own card wins. (And the saying, “there’s an app for it” also holds true for the “What am I” game as well: The most popular is the ‘Head’s Up!’ app made famous on The Ellen DeGeneres Show where her guests place cellphones on their foreheads and try to guess things like blockbuster movies and superstars.)
As families begin packing their suitcases and flocking to beaches and state parks, guessing games and apps like “What am I?” or “Head’s Up!” will kick into gear for the summer. However, I’m also witnessing cybercriminals increase their guessing games in 2018 as well! Unfortunately, the straightforward, time-passing fun of popular children games is not what I am referring to. Cyber attackers are interested in breaching networks and client systems alike, stealing valuable information and inflicting (many times) unrepairable damage on your computer systems. They are achieving this using a technique called Brute-Force Attack.
A brute-force attack involves targeting servers and workstations directly, rather than indirectly
(i.e., relying on a user to open an attachment or click a link) and looking for an opening or hole into the system. In most cases, an attacker will attempt to guess the user’s password by trying passwords or passphrases repeatedly, with the goal of guessing correctly. An industry-specific term for the guessing of passwords is called “password spraying.” As a note to those of us that are not yet taking the concept of strong-passwords seriously, there are many easily available brute force techniques that can effectively crack weak passwords.
In many of the recent cases of new ransomware samples or other destructive malware I’ve analyzed, I have observed that cybercriminals are specifically using a RDP (Remote Desktop Protocol) brute force attack. In an RDP brute force attack, the attacker scans a list of IP ranges for the default RDP port 3389 looking for open connection. Once a port is found, the brute force attack is launched. The brute force technique uses a trial and error password guessing attack with a list of commonly used credentials, paraphrases, dictionary words and other combinations. Once access is established, the attacker can disable the system’s antivirus, firewall and other in-place security measures so that the malware payload can run without detection. This means that even if the user or administrator had the very best, top-notch antivirus installed (Thirtyseven4 Endpoint Security, anyone?) and was diligently keeping it updated to protect against the thousands of new malwares added daily, turning off the protection renders the system powerless. Again, the damage done by the executed malware can be irreversible and could open the possibility for future attacks and con dential information to be stolen and later released causing significant embarrassment to the user or organization.
While a built-in Thirtyseven4 Firewall feature will effectively prevent RDP brute force attacks by allowing only trusted IP addresses from accessing the system via remote desktop, I wanted to mention a few other tips and suggestions that can be put into practice by everyone.
Some best practices to help prevent brute force attacks:
1. Use strong and unique passwords on user accounts that cannot be easily guessed. Weak passwords like admin, admin123, qwerty, 123456, password, Spot (don’t we all have a dog named ‘Spot’?), can be easily brute forced in just a first few attempts. Remember the saying: “Strength in Length.” Your passwords should not only contain a mix of uppercase, lowercase and special characters, but it should also be at least 12 characters long.
2. In addition to installing strong client-based security software, make sure to configure your endpoint security software settings with password protection. Doing so would prevent any unauthorized users that may have breached or gained access to the system from disabling or uninstalling it. (For example, Thirtyseven4 users can enable this feature from the Settings => Password Protection.)
3. Disable the administrator account and use a different account name for administrative activities. Most brute-force attempts are done on an administrator user account, as it is present by default.
4. Remove any other unused or guest accounts, especially those listed under the administrator account. You may have the strongest login credentials on this side of the Mississippi, but if the older default Admin\Admin account created by your former colleague was never disabled or deleted, your system is open for business.
5. Take the time to change the default RDP port from the default location of 3389. While a full port scan done by the attacker would still reveal available ports, most RDP attacks focus on targeting port 3389.
6. Enable the Network Level Authentication (NLA) feature in your RDP settings available in Windows Vista and later OS. https://technet.microsoft.com/en- us/library/cc732713.aspx
7. Configure Account Lockout Policies that will automatically lock an account after a specific number of failed attempts. https://technet.microsoft.com/en- us/library/dd277400.aspx