Criminals target small businesses with poor server security
CERT Australia is reporting ongoing cases of small businesses being targeted and held to ransom by criminals who exploit insecure servers connected to the internet.
These insecurely configured servers are running the Windows operating system with external access provided through the Windows Remote Desktop Protocol (RDP). The Windows RDP allows remote access to a Windows desktop and is often used for administration purposes.
Criminals use 'brute force' attacks targeting weak passwords to guess the server logon password. 'Brute force' is where an automated tool is used to work through all possible passwords until it finds the correct one. Once logged on, criminals can manually encrypt business files, including databases in some examples. They then leave a ransom notice on the server or send the business owner an email demanding they pay a ransom for the 'key', or code, to unlock the files. Ransom amounts have been known to reach up to AUD$8,000.
In some cases, criminals have gone as far as to wipe and erase any backups connected to the server in question. This makes restoring the data extremely difficult and highlights the importance of having offline backups in place, that is, backup files that are stored on external hard drives or other storage formats that can be disconnected from a server once a backup process is complete.
CERT Australia notes that several incidents have occurred over the last six months. While exploiting Windows RDP has been the most popular way to carry out targeted ransom attacks, financially motivated criminals are likely to use any method possible to remotely access a poorly secured computer.
CERT Australia describes the impact of targeted attacks involving ransom as 'potentially more significant' than that of common ransomware delivered using email. This is because criminals have full access to a business server and could potentially cause other types of damage such as stealing or modifying data.
CERT Australia recommends:
- Businesses avoid having Windows Remote Desktop Protocol (RDP) or Virtual Network Computing (VNC—a similar technology) exposed directly to the internet—consider using Virtual Private Networking (VPN) technologies instead.
- Ensure ALL administrator and remote access user passwords are very strong and unique to each administrator.
- Where possible, use two-factor authentication (which combines a factor such as a token or SMS message with a password) to control access to any remote access or VPN.
- Businesses should take steps to ensure that remote access is appropriately logged, so if an incident does occur, it can be properly investigated. As an example, logs should include usernames, dates, times, IP addresses and other relevant information.
- Businesses should have appropriate backup systems that are regularly verified, with logs kept secure, and that backup files are stored offline—this means backup files are not directly accessible from a computer server where they could be deleted or modified.
Articles on the topic of targeted hacking and ransoms can be found here:
- Small businesses should report incidents via the Australian Cybercrime Online Reporting Network (ACORN). www.ACORN.gov.au
Stay Smart Online has information on protecting your computers.
The information provided here is of a general nature. Everyone's circumstances are different. If you require specific advice you should contact your local technical support provider.