[this post from Dennis Houseknecht, a Nerd is West Virginia]
Think worms are the malware of yesteryear? Not so. A new worm has been spreading rapidly. This worm spreads via RDP (remote desktop connection).
This worm does not seem to be exploiting any new vulnerabilities in the RDP protocol. Rather, it gets its foothold in the internal network through other means, such as Adobe flash or Reader vulnerabilities or general phishing attacks.
Once inside the network, it infects other machines through the RDP protocol. It also goes outside the network and tries to find other networks that have RDP exposed to the outside and brute force the administrator passwords.
Prevention really is no different from the practices we have always recommended:
1. Keep the operating system and browser add-ons, such as Java, Adobe, etc. patched
2. Educate all users about the dangers of opening attachments and clicking links in ANY email – EVEN those that come (or appear to come) from friends, co-workers, or the boss.
3. Use strong passwords – on admin accounts, use VERY strong passwords
4. If possible, do not expose RDP to the internet, especially on its default port of 3389. If you are using Level Platforms for remote access, you DO NOT HAVE TO OPEN FIREWALL PORTS TO USE RDP. If you have port 3389 open through the firewall, you can assume that someone is trying to brute force the admin account all day, every day. This was true long before Morto came to town.
5. Disable RDP on machines that do not need to have it enabled.
Want to know if port 3389 is open on the firewall? Want to get weekly reports showing all open ports on the firewall? Want to get an alert any time there is a change in the open ports on the firewall? Nerds On Site offers SafetyNet, an automated port scanning service that does this. Contact us if you are interested in this service. There is a low monthly cost.
5 years ago I told nerds that we needed to brace for 6 months of a cyber crime spree and protect clients that choose to be protected. Little did I know that 5 years later, we...