[SingCERT] Kaspersky Report on Compromised RDP Servers - "The xDedic Marketplace"

Published on Saturday, 18 June 2016 10:30

Background

On 15 June 2016, Kaspersky released a report on xDedic - an underground market that facilitated the sale of compromised login credentials of Remote Desktop Protocol (RDP) servers in 173 countries including Singapore.

With the login credentials, the buyer will be able to access the server, including all the data on it and use the access to launch further attacks. xDedic appears to be run by a Russian-speaking group of hackers.

The Kaspersky report indicated that Singapore has more than 700 compromised servers and was ranked 29th out of the 173 countries affected.

Kaspersky has shared details of the report with SingCERT. SingCERT is taking action to contact affected companies that have been identified thus far to inform them of the compromise and to extend our assistance where necessary.

Types of Servers Compromised

Internet-facing Remote Desktop Protocol (RDP) Server

How to check if your RDP server is compromised  
  1. If you are running an Internet facing RDP server, you may check your server based on the Indicators of Compromise listed in the Kaspersky report (referenced below).
  2. Check your RDP server logs for unauthorized or abnormal activities, especially successful logins during out of norm hours & failure login events.
Recommended Actions to be Taken
  1. Immediately change the password of all accounts used to login through RDP.
  2. Configure the account lockout settings to lock a user account after a period of time or a specified number of fail login attempts. This will prevent unlimited unauthorized attempts to login.
  3. Define a stringent password policy by configuring an expiration time and password length and complexity. This will reduce the time window for an attempted attack to succeed.
  4. Use firewall to restrict RDP servers to only authorized source IP addresses.
  5. Review and limit the administrative privileges through the built-in RDP RestrictedAdmin feature.
Additional measures that could be Taken to Enhance System Security
  1. Limit the number of users and machines that can log in using RDP.
  2. Add an extra layer of authentication, like two-factor authentication (2FA) for all remote access systems.
For Further Assistance

Affected parties may contact SingCERT should they require further assistance.

Reference

https://securelist.com/files/2016/06/xDedic_marketplace_ENG.pdf