The RDP attack, from advanced solution to attack vector nightmare
When businesses shifted to remote work at the beginning of the coronavirus pandemic, they had the good fortune of being able to turn to an old solution to keep productivity high–the Remote Desktop Protocol (RDP).
Microsoft released the protocol in 1998, but it wasn’t until the pandemic that many businesses realized its usefulness. Naturally, the number of RDPs exposed to the internet and at risk of potential attacks grew roughly 35% to 4.7 million in the first quarter of 2020, with no signs of slowing down, according to data from Reposify, a specialist in external attack surface management.
Unfortunately, RDP has proved equally popular with cybercriminals. In the U.S, the average number of RDP brute force attack attempts increased seven-fold from around 200,000 per day in January 2020 to 1.4 million by April 2020, while such attacks were up between three-fold to four-fold globally, according to leading antivirus software provider Kaspersky.
What is RDP and how is it used by organizations?
Remote Desktop Protocol is a built-in protocol for Microsoft Windows that allows a user to connect to another computer over a network connection. The user runs RDP client software, while the other computer must run RDP server software. The RDP connection presents the graphical interface of the remote system on the user’s device, just as if it were being accessed locally.
Originally, RDP connections were used mostly for the purpose of providing remote technical assistance. However, as we have discussed, RDP has grown in popularity as a way of enabling people to remotely log into their own work computer. Once remote access to a device has been established, the user may use all the tools and applications installed on that device and copy, add, or remove content as they see fit. Aside from the physical distance, it is as if they are actually sitting in front of the original device.
There are numerous cloud-based remote access alternatives to the Remote Desktop Protocol, including SolarWinds Dameware, TeamViewer, AnyDesk, and Zoho Assist. Many organizations also use Virtual Private Networks, or VPNs, in place of the Remote Desktop Protocol. However, the convenience of having a built-in solution has caused many businesses to default to the Windows RDP–leaving them extremely vulnerable to attack.
RDP attacks growing and getting worse
Back in 2018, the FBI’s Internet Crime Complaint Center and the Department of Homeland Security published a joint alert on the threat of cybercriminals maliciously using remote administration tools, and they named the Remote Desktop Protocol as the main area of concern.
In their alert, the agencies noted that threat actors identify and exploit vulnerable RDP sessions to facilitate credential theft and ransomware infection. They pointed to four major vulnerabilities:
- Weak passwords;
- Outdated versions of RDP potentially using flawed CredSSP, the encryption mechanism, thus enabling a potential man-in-the-middle attack;
- Allowing unrestricted access to the default RDP port (TCP 3389); and
- Allowing unlimited login attempts to a user account.
Brute-force attackers generally operate where there is a large attack surface area. The rise in the number of RDPs exposed to the internet during the pandemic has given them an especially large surface area to target; hence the surge in attacks.
Amid the rise of remote work, some cybercriminals have even updated their malware for the express purpose of targeting Remote Desktop Protocol users. For example, the TrickBot trojan recently added a new module called rdpScanDll built especially for brute-forcing RDP accounts. TrickBot started out in 2016 as a credential-harvesting threat focused mostly on online banking. But according to cybersecurity software provider Bitdefender, the new rdpScanDll module brute-forces RDP for a specific list of targets defined and sent by the attackers, focusing mainly on telecom, education, and financial services in the United States and Hong Kong. The module looks like it’s still in development and may provide inspiration to other malicious actors looking to exploit RDP users.
How to protect your organization from RDP attack
Like most areas of cyber risk, it’s surprisingly simple to set up basic protection for your organization.
Here are 4 steps to get started with:
- Disable your RDP connection. If people in your organization need to remotely connect to their device, it’s preferable to set up a Remote Desktop Gateway (RDG). This ensures remote access is only available through a point-to-point remote desktop connection.
- Block port 3389. Malicious actors routinely scan the internet for open 3389s, the default RDP port. The port can be blocked with a firewall.
- Use strong passwords. Given that brute force is the most common way to hack into an RDP, always use complex passwords, especially on administrator accounts.
- Use multi-factor authentication. Even with strong passwords, login credentials can still be stolen. Multi-factor authentication adds an extra layer of protection and extra peace of mind.
- Always have backups. No organization is 100% immune from attack, whether through RDP or other means. So always have securely stored backups.
Understanding how to leverage remote desktop capabilities to your advantage as opposed to having it turned against you is the first step in addressing the RDP threat vector. As always, using a managed SOC (security operations center) gives you protection for all your critical infrastructure and rapid incident response to any attack–including RDP attacks.