Late last year, Marriott revealed over 500 million customer records were breached and exposed. The Marriott breach is the latest of escalating breaches of our nation’s infrastructure. Breach after breach, and what is not made clear, is what this means to individuals and businesses. Who should be concerned and why?
In March of this year, Jackson County, Georgia, a small rural county of 60,000, was successfully attacked with ransomware, and city officials forked over $400,000 to retrieve their files. It is believed that this attack and many similar attacks on counties and cities are the product of RDP.
RDP (Remote Desktop Protocol) is a feature in the Windows operating systems to allow IT administrators to remotely maintain a server or desktop. It makes the job of IT easier and lowers the cost of routine maintenance, but it is also a security hole.
Step one in the new malware attack plan is to scan for open RDP ports. Once an RDP port is found, a person researches any and all of the employees of that institution, in this case, Jackson County, Georgia. In today’s day and age, with LinkedIn, Facebook, etc, it is a simple matter to find the employee list.
Step two is then to find available passwords from the myriad of breaches available on the dark web. Once they find a match, it goes for sale on the dark web.
Step three. Now the hackers can enter the Jackson County network the first time with valid credentials. Once in, their first act is to disable antivirus. Note: since they are in the network with proper privilege and authorization, they can do almost anything such as disable back up, change credentials of other administrators, etc. Then lastly, they deploy ransomware.
There are essentially two huge holes in our digital security infrastructure. 1) Unauthorized Software running on a network, and 2) Unauthorized People present on a network. Unauthorized software exploits our continued reliance on black list antivirus. Unauthorized people exploits the obvious holes in single factor authentication. The RDP attacks simultaneously exploits both of these holes.
I am proud to say that PC Matic Pro is the only antivirus with advanced RDP protection. We have four layers of security against RDP attacks.
1) PC Matic Pro displays the open RDP ports on any network, and makes it easy to disable any RDP port. We recommend to keep RDP ports only for anticipated remote maintenance, and the rest of the time, they should be shut.
2) PC Matic Pro modifies the Windows account lockout thresholds to defeat password crackers that are commonly used when the attacker does not have user credentials.
3) PC Matic Pro has been changed so that it is no longer possible to uninstall our antivirus from the endpoint or server. It can only be uninstalled from the portal which can be exclusively accessed by administrators.
4) PC Matic Pro has implemented an ELAM driver. ELAM means early launch anti malware. In a partnership with Microsoft, PC Matic Pro is now #1 in the boot sequence, and the PC Matic service can’t be killed by another process or user.
Since making these modifications, plus our patent-pending white list and malicious script blocking, our customers remain uninfected.
Since the Jackson County, Georgia infection in early March 2018, a string of government agencies have been infected, including Orange County, NC; Genesee County, MI, the city of Albany, NY, and the city of Greenville, NC. We all live in a city and a county and without the proper precautions, they are at risk.
I am proud to write how my company has reacted during this crisis. We are at war, and quick response is essential.