Healthcare Key Target of Hacker Selling Access to Compromised RDP

August 31, 2020 - The hacker known as TrueFighter has reemerged with a campaign actively targeting the remote desktop protocol (RDP) across all sectors, with those in the healthcare industry as the leading target. The hacker then sells access to the compromised RDP on the dark web for financial gain, according to Nuspire.  

TrueFighter is believed to be a solo hacker that first appeared in 2014 in a series of financially motivated attacks, breaching networks to later sell stolen credentials for profit on the dark web. 

In mid-August, Nuspire’s Security Intelligence and Analytics team again observed TrueFighter selling RDP account access through various underground forums and communities. While the hacker is targeting a range of industries, it appears healthcare is the most popular target. 

“TrueFighter sells information for unspecified organizations, opting to define the source by industry: e.g. US medical center network or water district,” researchers explained. “The majority of TrueFighter sales on these forums are compromised RDP accounts.” 

“Anyone who buys these accounts would obtain remote administrative access to the compromised organization,” they continued. “Although the group primarily appears to attack the healthcare industry, sales denote a broader set of unspecified organizations.” 

READ MORE: COVID-19 Remote Work Causes Spike in Brute-Force RDP Cyberattacks

The known victims include a Japanese medical university, a US hospital, a large EU hospital, a Brazilian medical organization, and a US water district, just to name a few. 

Throughout the pandemic, remote work has rapidly increased across all sectors, including in healthcare. Telehealth and other remote patient monitoring tech has also expanded amid COVID-19, increasing the need for remote access technologies like RDP and Virtual Private Networks (VPNs). 

As noted repeatedly by security researchers, industry stakeholders, and federal agencies, attacks on remote ports have remained constant amid the crisis. Organizations have been warned to monitor these endpoints to defend against unauthorized access. 

While the rate of successful RDP compromises on the healthcare sector is unknown, the notorious SamSam threat group repeatedly targeted and compromised provider networks in 2017. The hacking group has since been indicted by the Department of Justice. 

According to Nuspire, the latest RDP attacks spotlight the risk RDP poses to the overall enterprise network as exposed RDP access can easily be found by attackers leveraging search sites like Shodan.io. Attackers commonly use these search engines to find vulnerable endpoints that can be later exploited. 

Even more concerning: researchers used Shodan.io and found 4.3 million exposed RDP connections, with 30 percent based in the US. 

TrueFighter is also amplifying these risks by offering the ability to escalate accounts to domain administrator access for an additional fee. Researchers said they believe the hacker is first gaining RDP access and then selling the connection to other hackers, given “the risk or possible additional skill levels needed to continue attacking.” 

Instead, the hacker likely breaks into the network undetected and then sells the credentials to quickly make a financial return. 

“The exploitation framework FuzzBunch can use an exploit like DoublePulsar to attack those RDP connections,” researchers explained. “To prevent this, administrators can restrict access to RDP connections to trusted sources, audit connectivity logs for unknown connections and implement 2FA for RDP logins.” 

“RDP is also known to have multiple vulnerabilities over time and unpatched systems are especially attractive targets to attackers,” they added. 

Healthcare organizations should ensure access to enterprise RDP is restricted to trusted sources, while auditing connectivity logs for unknown connections and administrative accounts to ensure permissions have not unknowingly been escalated. And two-factor authentication must be implemented for RDP connections. 

Security researchers have also previously provided basic RDP security needs for healthcare organizations. Those key elements include isolating RDP, keeping the port behind the firewall, as well as implementing network level authentication and limiting the number of users allowed to log in through RDP.

RDP should be disabled wherever possible or access should only be given on a need to know basis, while ports should be segmented or compartmentalized as much as possible.

"There’s a saying, it’s almost like candy with a hard, external shell and a softer core for the internal organization,” Oleg Kolesnikov, Head of Securonix Threat Research Labs, told HealthITSecurity.com in a 2019 interview. “It applies to healthcare, with its critical operations: healthcare is the most mission critical, and it's often not feasible to take systems down or patch in a timely manner.”

“Segmentation should not be viewed as an alternative to patching,” Kolesnikov said. “But it can mitigate in some places and allow security teams to detect an intrusion… We typically recommend a virtual patch, as in some cases it can enable organizations to push or extend the period for applying patches.”