RDP Exploits and Ransomware—A Cyber Criminal’s Favorite Attack Pathway from NetDiligence on Vimeo.
It’s no secret that cybersecurity professionals are most commonly playing catch-up to close digital vulnerabilities to would-be attackers. Ransomware remains one of the most effective and wide-spread attack methods, with a business targeted approximately every 11 seconds.
These attacks can lead to monetary extortion, data loss, service downtime, and destruction of hard-earned public trust.
Remote desktop protocol (RDP) exploitation to propagate ransomware attacks has consistently been a favorite attack method of cybercriminals. To better understand the RDP threat pathway, risks, and security measures, we recently sat down with TracePoint CEO, Chris Salsberry—a leading cyber incident response forensic expert.
What Is RDP?
The remote desktop protocol is a function that Microsoft has built into its operating systems since the 90s—it enables remote access to a PC or server and all of the tools, files, and software installed on it. The intended use is for IT support personnel to remotely access machines to troubleshoot and resolve operability issues. The RDP function is also used for remote staff to access internal networks and work environments.
RDP is a Windows-only feature, and it must be enabled on the remote server or PC in order to function. By remotely controlling a machine, a user can:
- Install programs
- Alter, delete, or extract data
- Activate or disable settings
- And more
While these capabilities are extremely useful in certain scenarios, they also make it possible for criminals to exploit RDP networks to take over machines and attack enterprise networks.
How Does a Cyber Criminal Exploit RDP Vulnerabilities?
As Mr. Salsberry explained during our discussion, if an unauthorized user gains access to a machine via an unsecured RDP port, it is equivalent to them now owning the machine—they are free to make any changes they like.
A threat actor can use various methods to gain access to an unsecured RDP port left open on the public internet. Among the cybersecurity community as well as the hacker community, it is common knowledge that UDP and TCP ports 3389 are the default listening ports for RDP. The first place an attacker would look for vulnerabilities is these default ports. However, as Mr. Salsberry pointed out, simply changing the default port offers little protection. Threat actors can scan the entire port range on each IP address to find unsecured ports and exploit the vulnerability.
Once an opening is identified, cybercriminals can use brute force and dictionary tactics to gain access to the machine and the network it is connected to.
Bad actors may directly attack enterprise local area networks (LAN) to gain access to a server, or they may attack an employee’s individual machine and then attack the network. Once they gain access to the corporate network, attackers can push out ransomware to any computer connected to the networks.
Check out this article to learn how to respond to ransomware events.
How Have COVID-19 Work Scenarios Increased Risk?
The COVID-19 global health crisis has brought greater risks to the cybersecurity environment. According to Deloitte, 2.7 billion people around the world have been affected by government lockdowns. This includes 63% of the American workforce which is now working from home. As organizations have quickly pivoted to operate remotely, the secure network environments and security practices used in office environments have been slower to keep up.
Many more workers are now using an RDP to remotely access their in-office work environment from unsecured home networks, and cybercriminals are taking advantage of the increased vulnerabilities. According to Info Security Magazine, incoming cyber threats have increased sixfold since the start of the global health pandemic. Meanwhile, in April of this year, RDP brute force attacks have risen to 100,000 attempts per day, up from 40,000 attempts during the same period last year.
In order to fend off this growing number of incoming threats, organizations need to take proactive security measures.
Safely Deploy Your RDP—Secure Your Work Environments
According to Mr. Salsberry, the best way to deny criminals unauthorized access to enterprise networks is to not leave RDP ports open on the public internet. The primary means to achieve this is using a company-supplied virtual private network (VPN) to access any business systems, including the RDP. Access to enterprise IT environments through the VPN should be secured through multi-factor authentication, and activation of the RDP itself should have further independent authentication measures.
To more proactively detect and prevent incoming threats, additional security measures include:
- Having a security incident management system
- Using Syslog monitoring solution to identify irregular log-ins
- Installing password-protected endpoint security software on devices
- Disabling RDPs not in use and closing port 3389
- Updating and patching all software and operating systems
- Training employees on best cybersecurity practices
It’s important to take a multi-layered approach to security— especially when it comes to vulnerabilities that may enable cyber criminals to remotely control machines and gain a foothold to attack enterprise networks.
To deny cyber criminals the opportunity to exploit RDP networks and distribute ransomware, use the following best practices:
- Only enable access to enterprise networks through multi-factor VPNs
- Use multi-factor authentication to activate RDP functionality
- Install endpoint security on all devices used for work
- Train employees on basic cybersecurity practices
During times of increased risk, it’s all the more important to stay vigilant of incoming threats and protect business continuity. To learn more about bolstering your organization’s cybersecurity posture by having an incident response plan at the ready, contact NetDiligence today.