Lisa had just stepped out for a lunch break. She typically worked from home a couple of days out of the week. Lucky for Starlord465, she never ended her RDP (Remote Desktop Protocol) session–so Starlord took over where she left off.
Windows Remote Desktop Protocol (RDP) allows your users to connect to a remote Windows system and use that system. For example, one of your RDP users could use their home PC to access their work PC. Your support staff can also use RDP to provide applications and files to employees, remotely troubleshoot, and administrate Windows systems.
However, cybercriminals can easily hijack a user’s RDP session, a simple method of attack compared to exploiting vulnerabilities or stealing passwords.
Cybercriminals can use RDP’s services to elevate privileges, harvest credentials, move laterally to other computers in the same organization, install backdoors to your network, set up fake user accounts, and misdirect your organization’s attempts at discovering malicious activity. In fact, RDP compromise is visible in 84% of security logs, but 87% of compromises takes months to notice.
Starlord now operated as Lisa. Everything he did on the network looked like what Lisa was doing. Even administrators and cybersecurity workers could not tell the difference—and since Lisa’s company was a medium-sized company of 190 seats, Starlord’s actions would be even harder to distinguish.
He then set off to install the things that would give him control. Most importantly, he installed a ransomware package that he was configuring to encrypt the data storage server that all the workers used. All he had to do was click “go.”
Starlord had chosen Lisa’s company since it was a ‘big game ransomware’ target, a high-value proposition for his ransomware crew (Microsoft Digital Defense Report, September 2020).
But before he activated the ransomware package, he installed ‘banking Trojan’ malware that spread throughout the network automatically, harvested Lisa’s coworkers’ credentials, scraped email addresses to send out phishing emails, and downloaded additional malware (Center for Internet Security). This hack was a valuable one.
And it all started with RDP compromise.
RDP has some “built-in” potential for possible exploitation.
The Four Steps: How the attack happens
The attack goes like this:
1. A user or an administrator uses RDP to connect to a remote computer but later logs off or leaves his desk without disconnecting his RDP session.
2. An attacker scans RDP port 3389 of the target’s internet-connected systems. If any active devices have an open RDP port, it serves as an entry point to the network. A threat actor with this knowledge can (a) social engineer the target’s user for access credentials or (b) resume the disconnected RDP session of the user, unlocking her computer without credentials.
The second of these two methods needs no password or social engineering; the attacker can even access the user’s (or administrator’s!) computer logged out a few days before or even after a week of being on vacation (Parallels, CSO Online).
3. With access to the user’s computer, an attacker can scan the entire network and escalate the penetration. The compromised device can then send commands to other endpoints and networks. For example, attackers could use the compromised machine to create new RDP connections to non-standard ports (Parallels).
4. An attacker moves deeper into the target’s network by obtaining increased privileges and then can move laterally into the network to another system with the data or services he wants. Alternatively, he could install ransomware or other malware, like crypto-mining tools, keyloggers, and backdoors. The attacker’s activity looks like that of a legitimate user to a monitoring system or administrator (CSO Online).
RDP’s weaknesses have existed for decades because its basic features are exploitable. In 2018, the FBI and DHS released a Public Service Announcement warning that “Cyber actors increasingly exploit the Remote Desktop Protocol to conduct malicious activity” (TechTarget).
Fast-forward to 2023 and the pandemic migration to remote work, administrators and cybersecurity experts need to know that working from home is necessary for many workers who log in to corporate VPNs and application suites (ZDNet). In 2020 alone, RDP attacks grew 768% for 29 billion attempts that year (ESET).
Who’s been affected?
LabCorp had 7,000 Windows PCs and 1,900 servers compromised with ransomware after an attacker entered their network from RDP.
Hancock Health suffered from an RDP attack on a hospital server that ended with cybercriminals installing ransomware and asking for over $50,000 to decrypt the company’s data.
Other hospitals have also been ransomed through RDS servers.
A visit to Shodan.io shows search results for 2.5 million Remote Desktop Servers with over 1 in 200 installed backdoors. Attackers can session hijack these servers with no login credentials needed. But organizations with any number of employees are only protected if they follow basic cyber hygiene with the below precautions.
Shodan.io also has screen captures of servers on the internet with port 3389 open, and you can see the screenshots of the login prompts for anyone to attempt brute force logins.
How to prevent RDP compromise
Anti-phishing precautions can help prevent credential theft with the goal of RDP compromise. But is there a method to prevent an attacker from hijacking RDP on your network? Because monitoring or forensic tools see the activity as legitimate, cybersecurity experts suggest the following detection and prevention techniques.
– Update and patch software that uses RDP.
Patching regularly and enabling Microsoft updates provides an additional layer of defense against attempted RDP attacks (ZDNet, Center for Internet Security).
– Use strong passwords and multi-factor authentication.
Make complex, unique passwords and MFA mandatory for your RDP users (Center for Internet Security, Parallels).
– Always use virtual private networking for user access.
VPN is a minor inconvenience to your team members when they want to access remote computers and services.
– Changing default administrator login usernames from the default “admin” or “administrator” can slow down an attack (CSO Online).
– Implement granular role-based access controls (RBAC) and limit the number and privileges of people with administrator access to RDP consoles. WARNING TECHIE STUFF: Implement RBAC restrictions (Parallels).
– Enable Network Level Authentication (NLA) for RDP at all times.
WARNING TECHIE STUFF: With NLA enabled, a user asking for RDP access must first authenticate their identity before a session is established (CSO Online). Only allow connections from endpoints running RDP with NLA over transport layer security (TLS, Parallels).
– Limit access to RDP by internet protocol (IP) and port; change the default port for RDP (default 3389).
WARNING TECHIE STUFF: Since Shodan.io and other online post scanners enable attackers to find internet-exposed RDP systems running on port 3389, it is recommended to use another port number (though some software targeting RDP servers are using non-standard ports as well). Administrators should also monitor for brute-forcing activity targeting RDP ports in network logs and disallow any connection from an IP address that is not whitelisted (Parallels).
– Keep track of your RDP servers.
WARNING TECHIE STUFF: Rogue RDP servers are the bane of your IT staff, especially anything directly connected to the internet. While RDP session logs are not kept on a compromised system, administrators can learn what happened to the machine from the logs. Hackers cannot change logs easily (CSO Online).
– Monitor RDP network traffic for unusual access, connections, and session characteristics. WARNING TECHIE STUFF: Monitor RDP utilization, such as abnormal user IP locations and repeated login attempts to an RDP system.
– Enforce Group Policy.
WARNING TECHIE STUFF: Have your network administrators set Windows Group Policy settings to disconnect immediately or soon after a user logs off their RDP sessions or when the user session is idle. Implement a session lockout for RDP-enabled accounts. IT could resist this measure as it limits the purpose of remote administration.
– Implement Microsoft Remote Desktop Gateway (RDG) or Azure Multi-Factor Authentication Server as a low-cost multi-factor authentication solution (CSO Online). WARNING TECHIE STUFF: Place RDP-enabled systems behind an RDG or virtual private network (VPN) (Center for Internet Security). RDP gateways run an encrypted line between a remote client to a local device. A threat actor can install inside the corporate network. Only authorized users should use RDP and control the devices they have access to (CSO Online, Center for Internet Security, Double Pulsar).
RDP Has Benefits That Your Workers And IT Guys Love
Despite its flaws, RDP has benefits that many organizations prefer not to do without:
– Users get a cheaper alternative to expensive software used to set up a working environment.
– Users can use the computing power of the remote system when running applications and save on hardware costs.
– Organizations can increase employee productivity by keeping them happy. With the switch to remote work, employees should have fewer barriers to doing their job and a secure remote protocol whereby they use and save work assets.
Conclusion: You Can Reduce Your Risk
If you want to secure your RDP sessions, keep in mind that cybercriminals are first looking for the low-hanging fruit for an attack. If you follow the basic steps above, you will make your organization less susceptible to basic attacks. You can implement most recommendations with little or no cost (Center for Internet Security). Also, be aware that RDP attacks can lead to other attacks, such as when threat actors use RDP compromise as part of a spearphishing attack (CSO Online).
But if you want the best protection, the cybersecurity community recommends you disable Remote Desktop Protocol in almost all cases (TechTarget).
A modern alternative to RDP
Do you want a modern alternative to Remote Desktop Protocol? You can go pro with Tech Kahunas’ secure remote access. You get always-on VPN, zero-trust network access, and complete visibility into your data when you’re using it, when it’s stored, and when you send it.
Contact us today for a free strategy session to see how you can Defend Your Island.