Over the last several months, the NJCCIC has observed a sharp increase in cyber incident reports and threat intelligence involving the exploitation of enabled ports commonly used for remote access as the point of entry for ransomware attacks and other network intrusion activity. As software vendors and systems administrators are under increased pressure to quickly patch known vulnerabilities, hackers seek "the path of least resistance" to gain unauthorized network access and steal data or install malware. Poorly secured remote access configurations over commonly used ports exposed to the internet provide intruders with easy opportunities to gain access, often without being noticed by network administrators.
The NJCCIC strongly recommends all organizations audit their networks to identify servers and devices that have ports 22 (SSH), 23 (Telnet), and 3389 (RDP) enabled and immediately close them. Using the publicly available Shodan tool, the NJCCIC identified over 288,000 systems in New Jersey alone that currently have these ports open and exposed to the internet. If the availability of remote access is required, the NJCCIC recommends that organizations implement IPsec or SSL VPNs and to require multi-factor authentication.
On Tuesday, the intelligence firm Flashpoint published a report indicating that 85,000 compromised RDP servers were recently made available for sale or rent on the xDedic dark web marketplace, an illicit hidden service known for selling access to hacked systems. Flashpoint's analysis of the data revealed that most of compromised systems reside in the United States and belong to organizations in the education, healthcare, legal, aviation, and government sectors.