Ransomware groups exploit a variety of vulnerabilities. Yet there are many ways to ensure better security. Limiting the use of remote desktop sessions is one of them, as a recent report from the FBI, among others, shows.
The American and Australian researchers have examined the practices of the BianLian ransomware group. It is striking that this party has now waived the usual encryption of sensitive data. An affected organization therefore need not fear that their data will be inaccessible, according to government experts. BianLian is targeting the threat of leaking highly sensitive data. The targets are predominantly American organizations within “critical infrastructure sectors”. Think of energy companies, financial services or healthcare. These parties are susceptible to the usual threat tactics of ransomware groups, partly because they have to comply with strict legislation. Leaking data can have immense consequences.
The flexibility of remote desktop
Exploiting remote desktop usage is the main reason the BianLian group has been able to operate. The use of this remote access method is quite obvious. For example, it is a fast and versatile way to control a workstation remotely with a much less powerful laptop, or a system administrator can tinker with the settings on a remote computer remotely. In fact, you operate a remote machine with the Internet speed as one of the few limitations. Remote desktops are secured in many different ways, but in many cases their security is too easy to compromise. By the way, there is a gradation here. Anyone who carefully handles the privileges of remote desktop sessions and consults the security options of parties such as TeamViewer and AnyDesk can at least better protect themselves against the worst consequences of cybercrime.
BianLian gains access to victims’ systems by obtaining valid Remote Desktop Protocol (RDP) credentials. These can often be purchased from IABs: Initial Access Brokers. Authorities recently caught a big fish in the IAB ocean: Genesis Market, which ran off with digital fingerprints. Incidentally, BianLian also managed to obtain login data with phishing emails, a threat that is as old as the modern internet itself.
After that, the group could install remote management software, such as TeamViewer or AnyDesk, using its own backdoors. Using Windows tools, the group mapped the infiltrated network. The flexibility of RDP allowed the cybercriminals to move laterally through a network with far fewer intermediate steps. In short: the user-friendliness of remote desktop ensured effective and agile criminal behavior. This allowed the group to access sensitive data.
The FBI, CISA and the Australian ACSC propose to limit remote access as much as possible. The danger of remote desktop lies in careless implementation. For example, the three parties recommend only using a remote access solution within a private network. After all, as an organization you prevent yourself from being directly susceptible to a cyber attack by limiting the connection to the outside as much as possible. However, this is a dangerous way of thinking: if you are or have been unknowingly vulnerable, for example, a backdoor may have been installed. Criminals can then exploit an unpatched vulnerability that is not directly connected to the internet. In other words: patch all the software you have in house, even if it is not exposed to the outside world.
If you do have to use remote desktop, the report gives some advice. For example, unused RDP ports must be closed and the setting of MFA (multi-factor authentication) is important. Ultimately, there is a logical alternative for many instances where you might want to use remote desktop, but based on zero trust principles. This means that all users must be verified on an ongoing basis, without any ongoing trust in any particular account or device. The credo is “never trust, always verify”. In effect, this means that admins and other accounts can only perform what is strictly necessary at the time.
Ultimately, the way a party like the BianLian ransomware group works depends on security loopholes that are often easy to avoid. The deployment of remote desktop sessions is never without risk. For that reason, as an organization it is best to use this connection method as little as possible, however user-friendly it is.
Tip: Zero trust in complex environments: how do you ensure secure access to apps?