This past Friday, hospitality juggernaut Marriott announced its Starwood guest reservation database had been compromised in one of the biggest data breaches ever recorded. Here a summary of the damage:
Hackers have been accessing the Starwood network since 2014
Personal data of as many as 500 million customers has been stolen, including payment card information, addresses, and passport numbers
Payment card information had been encrypted with AES-128, but the attackers are potentially in possession of the encryption keys as well
It is undetermined whether the breach was for-profit or if the attackers were state actors collecting information for intelligence purposes
Marriott now faces multiple class action lawsuits, regulatory fines, and legal investigations
However, here’s a little tidbit of information that has flown under the radar in many reports of the incident...
They still have RDP open to the internet everywhere, there’s hundreds of these (many Win2003). https://t.co/yIi0OCC3Ui— Kevin Beaumont 🥴 (@GossiTheDog) November 30, 2018
This oversight is a known attack vector commonly exploited by malicious actors. When an organization allows access to RDP ports beyond their firewall, attackers jump on the opportunity to break through RDP’s minimal defenses via brute force, dictionary, and exploit attacks. RDP is not a secure remote access solution and is clearly insufficient for external use as it lacks many of the necessary features to prevent and protect against unauthorized access.
To make matters worse, @j_opdenakker points out another glaring security risk:
Also Telnet and SSH exposed on the central core switch at Sheraton Waikiki. What could go wrong? pic.twitter.com/g3MJwN2ByG— John Opdenakker (@j_opdenakker) November 30, 2018
Security experts have been sounding the alarm over open RDP and Telnet ports for years. Microsoft's remote desktop protocol (RDP), and the even older Telnet protocol, are well known threat vectors. These technologies provide easy access into remote devices, but lack critical security measures to ensure remote users have been properly authenticated and authorized. Logging features are also notoriously absent making after-action reporting and analysis difficult.
This recent breach of Marriott's systems may not be related to open RDP and Telnet Ports in their networks, but those open ports paint the picture of an organization with a laissez faire approach to network security that at best will cost Marriott tens of millions of dollars and may prove to be criminally negligent.
No single solution or one-time action will protect an organization from cyber threats and bad actors. Eliminating threat vectors by closing ports targeted by cyber-criminals is just a start. If you are interested in learning more about protecting your network, take a look at our new workbook "Securing Remote Access: Basic & Advanced Strategies," and subscribe to this blog.