Threat Assessment Thursday: The Easy Mark
The information in your networks is always valuable! Some of that information is simply more valuable than others. When you’re trying to perform a risk assessment of your infrastructure it’s critical that you don’t overlook the basics. It’s easy to forget the simple things when you’re dealing with advanced user authentication, denial-of-service attacks, and compliancy requirements; however, sometimes it’s those small mistakes that will bring your army of techs to their knees.
It’s great that you’ve layered security system on top of security system, but if an attacker can casually walk into your network through an unsecured RDP implementation-it’s usually game over.
On July 9th, 2014 a “Threat Intelligence” report was published by Nart Villeneuve, Joshua Homan and Kyle Wilhoit of FireEye Inc. In it they explain the means, and attack method of a recently discovered botnet. While these experts remain uncertain how the botnet propagates, they did manage to determine the means by which the BrutPOS botnet was infiltrating and stealing critical data from various Point-of-Sale networks.
The breach technique was simple. The botnet would be provided a list of IP addresses and would look through them for any with port 3389 (Remote Desktop Protocol) open. When it found an IP with that port open it would flag the IP for a brute force attack by the botnet. The attackers specified a list of usernames and passwords, which were frequently utilized as default usernames and passwords by popular brands of POS systems. This let them decrease the time spent on more secured and non-target RDP systems by having a much shorter list to check against. In effect, they filtered the results down from all systems that have the RDP port open, to only those that kept the default usernames and passwords used specifically for their Point of Sale device.
Now it’s threat assessment time! How many devices do you think your network contains which still use, or still have credentials on them that were provided as factory default? Are you sure no one has added any unauthorized devices to your network, or to their workstation which would be using a default password? If you answered no or you are not sure, then unfortunately you’re at risk!
Fortunately, these and many more potential threats can be covered by simply becoming PCI compliant. Even if you’re not dealing with a point of sale network, the insights can be invaluable, as all insights into IT security can be. It never hurts to know more about keeping your information safe.