A study by cyber security firm McAfee has found that criminal marketplaces on the dark web are selling Remote Desktop Protocol (RDP) access for as little as $3 and, in some instances, offering up to 40,000 separate RDP connections. These RDP accesses are said to include government departments and the security system of a major international airport. 

RDP software allows a user’s desktop environment to be run remotely from another device. This can be very useful for customer service support and remote working. McAfee reports that cyber criminals scan the Internet for systems that accept RDP connections and use a ‘brute force’ attacks to gain access to systems with weaker login credentials. 

RDP vulnerabilities potentially allow an attacker to obtain full access and control of the system. Once access is obtained, the attacker can steal data, install malware or conduct other malicious activities.  

Changing default settings, using more secure passwords, two-factor authentication and limiting the number of login attempts would lower the risk of RDP credentials being stolen. 

Please see the NCSC’s guidance on passwords and remote working for how to lower the risks.

Spanish telecoms provider Telefonica suffers security breach 

According to media reports, Spanish telecoms provider Telefónica, has suffered the largest data breach in Spanish telecommunications history. 
 
It has been widely reported that the breach exposed the personal and financial information of millions of Spanish users of the company’s landline, broadband and television services under the Movistar brand. It was revealed that anyone with an account could view other users’ personal data by manipulating part of the URL within the customer portal.  

The Telefónica breach was reported to the Spanish Agency for Data Protection (AEPD), the national agency in charge of enforcing the new GDPR data protection rules. Under GDPR, Telefónica may face a fine between €10 million and €20 million, or a fine that’s the equivalent of 2% to 4% of its annual turnover.  

Media claim some 85% of Telefónica’s computers were affected by the WannaCry ransomware attack in May 2017. 

The breach could have been due to insufficient security testing during the commissioning process of their online portal. Despite significant investment in new security systems, a relatively trivial oversight has enabled anyone to bypass these controls; highlighting that the simplicity of a breach-causing error often stands in stark contrast to the magnitude of the resulting consequences. 

The NCSC has published cyber attack deterrence guidance for any company designing, building and operating digital services. 

The threat from the inside 

Several attempted data theft incidents in recent weeks have highlighted the significant insider threat to businesses developing high-value intellectual property. These incidents had the potential to introduce a potentially catastrophic financial and or reputational impact on the company: 

  • A disgruntled Tesla employee reportedly stole a large volume of sensitive data from company servers, allegedly passed the details on to an unknown third party after being refused promotion within the company 

  • A former Apple employee was reportedly arrested after stealing data related to the company’s research and development of self-driving cars. Suspicious activity on the employee’s user accounts during the last few days of his employment sparked an investigation into his activities, revealing the theft of Apple trade secrets relating to autonomous vehicles 

  • Israeli security company, NSO, reportedly discovered an employee had stolen proprietary surveillance software from the company and offered it on the dark web. A potential buyer of the stolen surveillance software informed NSO of the theft 

The motivation for an employee to act against their employer can vary widely and may include financial greed, state-sponsored espionage, or even revenge for a workplace grievance. Similarly, some data breaches can be caused inadvertently by well-intentioned employees failing to follow, or deliberately circumventing, security procedures, where there is inadequate training, or when processes are seen as overly bureaucratic. 

Companies should follow thorough due diligence by ensuring appropriate security-related training is provided, including the identification and reporting of suspicious activity. IT hardening and user monitoring strategies, including auditing of user privileges, are also important to prevent malicious cyber activity. As the Apple example illustrates, well implemented joiner/mover/leaver (JML) security practices, can be essential in preventing valuable data falling into the wrong hands.