Backoff and Citadel Abuse Remote Access Tools

Recent events continue to highlight the abuse of remote access applications in the enterprise. Last Tuesday, Trusteer reported that a new variant of Citadel, which has long relied on VNC to give attackers remote control over systems, began adding new credentials to systems it infects and enabling the standard Windows remote desktop application (RDP). This allows the attacker to maintain control over the system even after the Citadel infection is removed. As the report indicates, using RDP this way also allows the attackers to “fly under the radar” as RDP is commonly used by administrators and often not treated as a threat.

Later that same week, US-CERT released alert TA14-212A on the Backoff Point of Sale (PoS) malware, which describes how malicious actors used publicly available tools to identify organizations that use remote access applications in an unsafe way. This reconnaissance was then leveraged in brute force attacks against credentials, toward unauthorized access, implant installation, and subsequent exfiltration of consumer payment data.

As with any tool, remote access applications can be used for good or malicious intent. It would be inefficient for an administrator to travel to a physical office to make a change on a system, but its critical that organizations take control over these applications. The first step is identifying them in your network. Palo Alto Networks currently tracks 90 different remote-access applications in Applipedia.  Examples include Remote Desktop Protocol (RDP), Virtual Network Connection (VNC), TeamViewer, and even Secure Shell (SSH), to name a few.

Once you can identify the traffic, you need to separate the good from the bad. If your company runs Windows and relies on RDP, you can close off VNC, TeamViewer and the other 87 applications because you don’t need them. If your administrators and help desk are the only ones who need RDP access to your systems, disable RDP for the rest of your users. The key is putting a policy in place and making sure your technology is enforcing that policy at the network layer.

The Backoff and Citadel reports from last week highlight how uncontrolled remote access broadens your attack surface and acts as a backdoor for attackers already in your network. Remote-access abuse is not a new problem. We’ve been highlighting the importance of controlling this threat since 2009, but five years later it remains an issue for many organizations.