Researchers from cybersecurity firm Rapid7 looked at how hackers attack key remote access protocols to corporate networks. According to their study, it is in your interest to strengthen the robustness of your passwords.
Opportunistic attacks
Because attackers primarily target weak passwords, such as “admin”, “password” and “123456”. For Rapid7, attackers indeed opportunistically use a small handful of administrator names and passwords before moving on. It is therefore common to see an IP address try a single username and password, such as “root:root” or “admin:admin”, suggesting that this is an automated process and maybe from a botnet.
The most common credentials tried by attackers for Remote Desktop Protocol (RDP) are “Administrator” and “administrator”. This is probably because RDP usually works on Windows and the default administrator account is called “administrator”.
For the Secure Shell (SSH) protocol, the two most common usernames are “root” and “admin”. A choice that is easily explained. Most Linux distributions come with a user named “root”, while “admin” is the common default username in routers and IoT devices. The passwords most attempted by attackers are “123456” and “password”.
Remote access targeted by cybercriminals
Both RDP and SSH protocols are widely used to manage virtual machines in the cloud. Given the growing popularity of cloud computing and remote working, researchers believe it’s important to know how attackers target these systems. RDP, for example, is one of the main targets of ransomware gangs.
To conduct its study, Rapid7 examined the credentials used by attackers to compromise its RDP and SSH honeypot network during the first nine months of 2022. During that time, she observed tens of millions of login attempts to her honeypots and the use of half a million unique passwords. These honeypots are part of the company’s Project Heisenberg.
No random passwords
The company then compared the recorded data with the “rockyou” password list, which includes eight billion usernames and passwords used by penetration testers and attackers.
Two lists that match almost perfectly for Rapid7. And the company concludes that hackers attacking remote access “do not generate truly random passwords, but instead work entirely from lists of guessable passwords”.
To counter these attackers, Rapid7’s top tip is to change the default credentials and disable local and guest admin accounts when possible. This won’t prevent targeted attacks, but it will help counter opportunistic attacks. Also use a password manager.
The company’s recommendations
To protect their RDP and SSH remote access, organizations should also use a virtual private network (VPN). They should further restrict remote connections to only work through VPN-authenticated hosts. Finally, to prevent most brute force attacks, it can be useful to change the ports.
“For RDP access, the best protection is to restrict access through firewalls and network security groups, so that exposed instances can only be accessed from trusted IP addresses,” notes l. ‘company.
For Rapid7, securing SSH access involves disabling password authentication in favor of certificate authentication. It is also strongly advised to limit the number of users, disable SSH for all root accounts, and change the maximum number of login attempts.
Source: “ZDNet.com”