Brian Krebs reported yesterday on a service that he’s been researching that is selling access to exploited Microsoft Windows servers. Krebs says that the service is renting access to nearly 17,000 computers worldwide, although almost 300,000 compromised systems have passed through this service since its inception in early 2010. According to Krebs’ research, all of the machines for sale have been set up by their legitimate owners to accept incoming connections via the Internet, using the Remote Desktop Protocol (RDP).
The service, which requires a $20 registration fee and a per-server fee (with the example shown being as low as $4.55 USD), allows anyone to rent an exploited server for their own purposes. A large portion of the compromised servers are owned and operated by Fortune 500 companies. The servers are sold by hackers who earn commissions on servers they list with the site.
To add insult to injury, the service’s operators provide detailed reputation ranking of the compromised servers in addition to technical support if the servers don’t work as advertised.
So…why is RDP exposed to the world on these servers? Why aren’t they locked down to only accept access from specific IP addresses? Why weren’t the administrators alerted to the change in access patterns to their servers?
Well, the easy answer (unfortunately) is that “security is hard”. Static firewall rules don’t scale, especially in cloud environments, and traditional operational models rely on archaic change control procedures and lengthy turnaround times to provide access. Likewise, the monitoring of security is also hard and, in all likelihood, the servers in question weren’t being monitored sufficiently.
One of the reasons we created Halo was to make securing servers an easy, repeatable and scalable process that was as transparent to users as possible.
Halo permits your Administrators to connect to each server directly, without the need of exposing the RDP port for administration using our Dynamic Firewall Automation and Two-Factor Authentication solution, GhostPorts. Using Halo ensures that none of the servers are exposed to attack from threats targeting remote administrative services. Administrators can open GhostPorts with Yubikey or SMS authentication, so there is no need to give them high-level access to your server infrastructure management tools. This means it is much easier to maintain segregation of duties. Finally, Halo is a cloud agnostic solution, which means it will work in any public, private or hybrid cloud in addition to any virtualized or physical server environment.
So I guess the real question is why haven’t you downloaded your Halo trial to see how easy it is to secure your servers from public RDP compromises?