Poorly configured remote administration software used by IT teams to manage endpoints or servers from a distance is often the first target of attackers, according to a new study that analyzed hundreds of data breach investigations. The software is sometimes poorly deployed, outdated or contains cached administrative credentials that could give cybercriminals the keys to the kingdom.
Based on the host names and the IP addresses, it was clear many pcAnywhere installations are configured at organizations or sites without much in the way of technical expertise.
HD Moore, chief architect of Metasploit, CSO of Rapid7
“Historically, attackers go after large corporate entities and get through the perimeter into the datacenter to get the crown jewels of the organization, but attackers started to learn that shooting the giant elephant is becoming more difficult,” said Nicholas Percoco, senior vice president of Trustwave SpiderLabs. “Now they’re going after smaller remote locations because they can accomplish the same thing with a little more effort.”
The problem plagues large firms with a centralized IT staff and smaller businesses that outsource IT management to a third-party service provider. Trustwave, which analyzed 300 breach investigations and 2,000 penetration tests in 2011, found remote management software was one of the most commonly used attack vectors. The report echoed the 2011 Verizon Data Breach Investigations Report, which recommended companies mitigate weaknesses in remote access services and monitor privileged activity.
Trustwave found corporate IT support administrators using the same or similar passwords at all the remote locations. The company found little use of two-factor authentication and domain credentials that were sometimes located in a cache folder, giving attackers easy access to a machine.
Administrators incorrectly deploying freely available open source remote management software also created some weaknesses. Pen testers found outdated VNC software deployed on point-of-sale systems and servers containing sensitive data. The software contained a VNC authentication bypass vulnerability, a flaw that has been patched years ago, Percoco said.
“I’ve seen instances where attackers have infiltrated a single environment, honed their craft in one location and then developed custom malware to easily compromise other systems,” Percoco said.
The problems plaguing remote management software were recently brought to the forefront when Symantec announced that a 2006 breach of its systems exposed the source code of its Norton pcAnywhere software. Symantec urged enterprises to disable the software and then, after updating vulnerabilities; the company issued a technical document urging users to establish tighter security controls around its use. It’s unclear if some enterprises are heeding the warning or if they even realize the software is running at their endpoints. A recent study conducted by vulnerability management and penetration testing vendor Rapid7, found thousands of IP Addresses with an open port commonly used by pcAnywhere. Many of those were production systems, including some in listening mode on point-of-sale systems.
“Based on the host names and the IP addresses, it was clear many pcAnywhere installations are configured at organizations or sites without much in the way of technical expertise,” said HD Moore, chief architect of Metasploit and CSO of Rapid7.
Moore said remote management tools pose no serious problems if they are configured properly. Common pitfalls include exposing Terminal Services on a system with weak accounts, he said, or setting up VNC in a way that requires a weak password and no mandatory encryption. Sometimes administrators introduce tools and fail to keep them updated with the latest security patches.
“The best choice these days is a combination of Terminal Services (Remote Desktop) combined with a strong local security policy that limits access to administrators and requires those administrators to have complex passwords,” Moore said.
Companies consistently fail at maintaining simple and intermediate controls and that’s a common theme in data breach computer forensics investigation reports, said Scott Crawford, managing research director of security and risk at Enterprise Management Associates, an IT industry analyst firm based in Boulder, Colo.
“Managing access privileges is one of the common missteps, but software defects and poorly deployed remote access capabilities are being targeted over and over again,” Crawford said.
Crawford said companies are failing to ask third-party IT service providers how their remote capabilities are deployed, if they have been tested and secured, and whether they are installed directly on the endpoint. Other organizations have systems with legacy remote management software often set up by an IT administrator long ago and no longer being used.
Organizations deploying their own remote management software can choose between a variety of enterprise-grade products. Ridgeland, Miss.-based Bomgar Corp., sells remote support software commonly used at large organizations or major IT service providers. Other vendors include Herndon, Va.-based Xceedium and Santa Clara, Calif.-based Citrix Systems Inc., which sells a variety of remote access and management software to consumers and enterprises, including GoToAssist and GoToMeeting.
Like many of its competitor enterprise-grade remote support software, Bomgar has recording capabilities to provide businesses with an audit trail when the software is in use. Remote management software in enterprises should be closely controlled, maintained and audited, said the company CEO Joel Bomgar.
“It’s not completely hacker-proof and no solution is, but there are no ports listening on the Internet,” Bomgar said.
Bomgar said more than half of his company’s customers are doing IT support on behalf of someone else. The software is designed to enable those remote IT teams establish a secure ad-hoc VPN and work within a secure tunnel with the server or workstation, he said.