Proactive Cyber Policing

Cyber / January 31

We look at a current investigation into lists of potentially compromised login credentials for businesses in the South West, and the steps we're taking to protect these organisations from the associated cyber threat.

We aim to be as proactive as possible in order to prevent cyber-attacks causing the magnitude of damage that the world is increasingly seeing.

 

This approach can be seen in one of our ongoing cases involving an online server which, after forensic review, has been shown to hold lists of potentially compromised user accounts and passwords for businesses based in the South West, along with IP addresses and port numbers. The major concern here is the possibility that remote access via Remote Desktop Protocol (RDP) could be unknowingly granted, opening the door for malicious online activity.

We can’t confirm if any data on the server has been used to compromise any networks. However, taking a precautionary approach, we’re currently contacting businesses who appeared on the server to:

 

  • Inform them of the operation
  • Provide them with their data that was held on the server
  • Advise them on the next course of actions, including resetting their passwords, carrying out an internal audit to see if the account or network has been compromised, and reporting back to Action Fraud.

 

We've discussed the risks of RDP before in another one of our cases, and this type of scenario is a risk that businesses take when using it. RDP is a common feature for most networks, especially with more employees working remotely; it can also be used to provide IT support to other users in a network. Most Business and IT Administrators see the benefits with RDP but often overlook the risks that come with it. Here are some quick points to consider if you use RDP:

 

 

Do you need RDP to work?

  • If your network allows RDP but the network/business has no use for it, then you can block the RDP ports all together. Alternatively, you could open the ports between certain times, and close them out of office hours.

Reallocate RDP Ports

  • RDP listening ports are normally 3389 or 3390 – consider changing them so these ports can’t be guessed by a potential attacker.

Use stronger passwords

There is a huge amount of media coverage and a number of campaigns directed at setting secure passwords, and yet in practice people continue to disregard this advice. In the case of this investigation, out of 113 organisations based in the South West (some with multiple passwords leaked), here is a breakdown of what passwords were used:

 

  • Password1 – 24%
  • Password same as user name – 46%
  • Password – 10%
  • Password123 – 8%
  • Blank/no password – 4%

 

If an attacker attempts to connect to a business network via RDP they will need an account to log into, so please make sure you always use strong/complex passwords (the National Cyber Security Centre UK has lots of advice around this e.g. https://www.ncsc.gov.uk/blog-post/three-random-words-or-thinkrandom-0).


The South West Regional Cyber Crime Unit is comprised of dedicated individuals who investigate serious cybercrime, offer advice and guidance to small businesses, and work with a range of partners to prevent people from engaging in cybercrime. For more articles and case studies like this, follow us here, on LinkedIn and on Twitter (@swrccu).

We also have a node on the Cyber Security Information Sharing Partnership (CiSP), and we strongly encourage organisations to sign up for real time cyber threat information in a secure, confidential and dynamic environment https://www.ncsc.gov.uk/cisp.

Twitter Feed