InfoSec Guide: Remote Desktop Protocol (RDP)

The increasing attack incidences via Remote Desktop Protocol (RDP) have prompted the FBI to release an alert informing businesses to establish preventive measures. RDP, which is automatically enabled in all versions of Windows, is a network communication feature that allows software developers and network administrators to remotely support, troubleshoot, or manage other users’ or clients’ devices. Companies who outsource their IT teams or situated in multiple locations make use of RDP to access computers remotely, allowing for faster IT solutions implementation.

[Related: 2017’s notably abused system administration tools and protocols]

Since publishing a short informative piece in 2012 addressing the significance of MS12-020, exploited flaws involving Windows’ RDP have gone from being proofs-of-concept (POCs) to being a common entry point for cyberattacks. However, observations of blocked RDP attempts have shown that even personal devices are susceptible. Trend Micro detected more than 35 million brute force login attempts on home computers and personal devices in 2018, and attempts through RDP account for 85% of this number.

Attacks and Malware

Here are just some of the attacks via RDP abuse in recent years:

• Ransomware 

  SAMSAM attacks on the healthcare industry in 2016 exploited vulnerable servers and unpatched systems, allowing the ransomware to spread laterally within the network. The combination of SAMSAM and RDP-brute force as an additional entry point in 2018 infected thousands of machines in the healthcare sector before it was detected. Crysis ransomware was also detected later in 2016, targeting businesses in Australia and New Zealand by brute forcing RDP, just one among other means of distribution. But compared to the other techniques, Crysis via RDP was able to scan for other vulnerable network drives and shares, encrypting data and potentially allowing the attackers to inflict more damage through escalated privileges, including the healthcare sector in the US.
  
  [Related: Ransomware: Past, Present, and Future]

• Targeted Attacks 

  Targeted attacks come in various phases and may affect related entities such as the supply chain.  Motivations may go beyond the financial such as damaging the victim’s reputation, stealing intellectual property or propriety information, or endangering national security. One example is vtask.exe, a custom tool observed in a targeted attack that hides current session-running Windows tasks when Microsoft introduced RDP. The main window that runs in the attacker’s monitor allows them to search for sensitive information while the user of the targeted computer is not logged on. While created using an outdated Windows version, it can still disrupt current processes when port 3389 is abused.
  
  [Related: The custom defense against targeted attacks]

• Data Breaches, Server Hacking, and Credentials Harvesting

  RDP ports are popular commodities in the cybercriminal underground for launching attacks such as data breaches, server hacking, and credentials harvesting on corporate systems. Hacked servers’ information can be found being sold in deep web marketplaces such as xDedic, and business is thriving thanks to employees’ tendencies to use short and weak passwords, often recycled with other online accounts.

• Worms, Remote Access Trojans (RATs) and Exploits

  The Morto malware family continues to be one the most prevalent worms observed using RDP to propagate since 2011. Using a set of predefined credentials, attackers can use it to see which systems or networks can be remotely infiltrated once the .DLL payload is successfully executed.
  
  In 2017, MajikPOS combined a number of entry points and attack chains, including RDP for the breach and download of malware. Aside from combining point-of-sale (PoS) malware and Remote Access Trojans (RATs), one of its components could also scan for insecure ports directly connected to the internet, drop its payload, connect to the C&C server, and conduct its RAM scraping routine for the exfiltrated data.
  
  Credential Security Support Provider protocol (CredSSP) was discovered to have a critical vulnerability affecting RDP and Windows Remote Management (WinRM) that could be exploited to enable a man-in-the-middle attack (CVE-2018-0886). “EsteemAudit” is another example of an exploit leaked by the group Shadow Brokers, abusing the flaw found in Windows XP and Windows Server 2003 (CVE-2017-9073) for buffer overflow in the Smart Card authentication code for arbitrary code execution.
  
  [Related: Malware using exploits from Shadow Brokers leak reportedly in the wild]

Defending against RDP abuse

Here are some best practices that your organization can practice to prevent attacks via RDP abuse:

• Surface reduction

  • Close RDP port 3389 if not in use or after use to make sure non-authorized users and outsiders cannot easily have an entry point for attack. Disable shared drives access.
  • Restrict RDP network admin access to a specific list of authorized users. Depending on your version of Windows, you can configure this via the Control Panel Settings or a Group Policy.
  • If closing the port is not possible, limit the source addresses allowed to access the port using Firewall Access Control Lists (ACLs). Check the configurations to prevent unintentionally opening RDP ports.
  • If there is a need to directly connect the server to the internet, set up the Remote Desktop gateway (RD gateway) to enable a single point of entry instead of specific RDP ports for each server.

• Attack prevention

  • Apply a layered protection system such as a localized user experience specification as additional means of security, or enable 2FA if available.
  • Update patches for the RDP client and server sides to prevent vulnerabilities from being exploited, especially for legacy systems.
  • Limit the number of failed login attempts to keep unauthorized logins in check. This can be restored by the network admins manually or automatically reinstated after a determined amount of time.

• Attack monitoring
  

  • Admins should conduct or install a real-time monitoring mechanism of the network for intrusion detection. 

• Risk reduction

  • Practice the 3-2-1 system to back up your important files and online data assets: Create three backup copies in two different formats, with one of those storage drives not connected to the internet.