The increasing attack incidences via Remote Desktop Protocol (RDP) have prompted the FBI to release an alert informing businesses to establish preventive measures. RDP, which is automatically enabled in all versions of Windows, is a network communication feature that allows software developers and network administrators to remotely support, troubleshoot, or manage other users’ or clients’ devices. Companies who outsource their IT teams or situated in multiple locations make use of RDP to access computers remotely, allowing for faster IT solutions implementation.
Here are just some of the attacks via RDP abuse in recent years:
SAMSAM attacks on the healthcare industry in 2016 exploited vulnerable servers and unpatched systems, allowing the ransomware to spread laterally within the network. The combination of SAMSAM and RDP-brute force as an additional entry point in 2018 infected thousands of machines in the healthcare sector before it was detected. Crysis ransomware was also detected later in 2016, targeting businesses in Australia and New Zealand by brute forcing RDP, just one among other means of distribution. But compared to the other techniques, Crysis via RDP was able to scan for other vulnerable network drives and shares, encrypting data and potentially allowing the attackers to inflict more damage through escalated privileges, including the healthcare sector in the US.
Targeted attacks come in various phases and may affect related entities such as the supply chain. Motivations may go beyond the financial such as damaging the victim’s reputation, stealing intellectual property or propriety information, or endangering national security. One example is vtask.exe, a custom tool observed in a targeted attack that hides current session-running Windows tasks when Microsoft introduced RDP. The main window that runs in the attacker’s monitor allows them to search for sensitive information while the user of the targeted computer is not logged on. While created using an outdated Windows version, it can still disrupt current processes when port 3389 is abused.
The Morto malware family continues to be one the most prevalent worms observed using RDP to propagate since 2011. Using a set of predefined credentials, attackers can use it to see which systems or networks can be remotely infiltrated once the .DLL payload is successfully executed.
In 2017, MajikPOS combined a number of entry points and attack chains, including RDP for the breach and download of malware. Aside from combining point-of-sale (PoS) malware and Remote Access Trojans (RATs), one of its components could also scan for insecure ports directly connected to the internet, drop its payload, connect to the C&C server, and conduct its RAM scraping routine for the exfiltrated data.
Credential Security Support Provider protocol (CredSSP) was discovered to have a critical vulnerability affecting RDP and Windows Remote Management (WinRM) that could be exploited to enable a man-in-the-middle attack (CVE-2018-0886). “EsteemAudit” is another example of an exploit leaked by the group Shadow Brokers, abusing the flaw found in Windows XP and Windows Server 2003 (CVE-2017-9073) for buffer overflow in the Smart Card authentication code for arbitrary code execution.
Here are some best practices that your organization can practice to prevent attacks via RDP abuse:
Close RDP port 3389 if not in use or after use to make sure non-authorized users and outsiders cannot easily have an entry point for attack. Disable shared drives access.
Restrict RDP network admin access to a specific list of authorized users. Depending on your version of Windows, you can configure this via the Control Panel Settings or a Group Policy.
If closing the port is not possible, limit the source addresses allowed to access the port using Firewall Access Control Lists (ACLs). Check the configurations to prevent unintentionally opening RDP ports.
If there is a need to directly connect the server to the internet, set up the Remote Desktop gateway (RD gateway) to enable a single point of entry instead of specific RDP ports for each server.