CERT NZ has issued a warning to New Zealand businesses recommending that they ‘urgently’ review their remote access systems and remote working technologies to prevent ransomware attacks.

That warning echoes others globally. 

“Remote Desktop Protocol (RDP) is currently by a wide margin, the most common attack vector used by threat actors to gain access to Windows computers and install ransomware and other malware,” Recorded Future threat intel analyst Allan Liska wrote in a report published last week about the danger of ransomware to the US election infrastructure.

Often systems that are compromised are put up for sale in “RDP shops” on the dark web and sold to hackers. In 2018, McAfee found a major international airport’s security and building automation systems could be purchased for just $10 USD at an RDP shop.

Vigilance needed

As more workers choose flexible work options many organisations have relied on various remote desktop protocols to give workers remote access.

But, without proper management, that’s a move that may come back to haunt them.

An RDP that isn’t vigilantly managed and updated, is like leaving the front-door key under the mat – an open invitation to attackers. While RDP is built into Microsoft operating systems, it can also be installed on Apple, Linux, and Android operating systems, and all present risks.

CERT NZ threats and vulnerabilities principal advisor Michael Shearer says organisations should ‘urgently review’ their remote access systems and secure them.

“Regardless of what technology organisations use to enable remote working, it’s important to keep your system up-to-date and enable two-factor authentication for logins,” says Shearer.

The recent Kaseya attack and the ransomware attack on the Waikato District Health Board have highlighted the devastating effects an attack can have on organisations. 

“There’s been an increasing trend of these types of attacks globally over the past 18 months, and they’re only going to continue,” warns Shearer.

CERT received 30 reports of ransomware attacks between April and June of this year – the highest number reported here within a single quarter.

But it’s likely the number is a lot higher as many organisations choose not to report ransomware attacks.

Configuration key

Most of these attacks can be traced back to poorly-configured remote-access systems like Remote Desktop Protocol (RDP) or Virtual Private Networks (VPNs).

While attackers can use several methods to gain access to systems, they can conduct more damaging attacks once they have accessed the RDP.

At that point, even if passwords are changed, attackers will still be able to get inside the network. They can then identify and extract sensitive information and may threaten to use the information to affect the reputation of the business, or, more often, sell it if you don’t pay their ransom.

CERT NZ recommends that domain administrator privileges should be used as sparingly as possible, and only on domain controllers. 

If staff are using the server to access an application, businesses should not also allow highly-privileged accounts to log on to the server. 

If it’s a server used for administrative tasks, it should only be accessible from administrative workstations, by administrators.

CERT NZ also recommends businesses set session timeouts if idle for 15 minutes and that they prohibit passwords from being saved – as attackers look for these and use them to move laterally across the network.