Microsoft's Remote Desktop Protocol (RDP) is used for remotely connecting to Windows systems. In an RDP attack, criminals look for unsecured RDP services to exploit and access enterprise networks. It’s frighteningly easy to do so because many organizations fail to secure RDP services against improper access.
Over the past year, RDP has become the top attack vector for ransomware. Threat actors have repeatedly exploited internet-exposed RDP services to install ransomware on systems and networks belonging to numerous major organizations. In July, the SamSam group infected some 7,000 Windows PCs and 1,900 servers at LabCorp with ransomware via a brute force attack on an RDP server. In another incident this year, Hancock Health was forced to pay over $50,000 in ransom to regain access to critical data that criminals had encrypted after breaking into its network via a hospital server running RDP services.
Attackers have also exploited RDP to install cryptomining tools, keyloggers, backdoors and other malware on enterprise systems. Many have used RDP services to establish a foothold on an enterprise network, to elevate privileges, harvest credentials, to move laterally inside a compromised environment and to plant false flags for misdirection purposes.
"The payoff from a successful RDP attack is huge," says Rishi Bhargava, co-founder at Demisto a provider of security automation and incident response technology. Even if pulling off an RDP attack can sometimes take a little effort, the range of devices that attackers can influence once they’ve accessed an RDP is dangerously large, he says.
RDP: An easy target
Adversaries like targeting RDP because the protocol is easy to use and offers an opportunity for complete control of compromised systems. Importantly, it gives attackers access to a system via a protocol that is commonly used for legitimate purposes, so it becomes harder for defenders to detect malicious activity.
Microsoft's RDP gives users a way to connect to a remote Windows system from another computer running Windows. It provides remote display and input capabilities that allow individuals to access and work on a remote Windows system just as if they were actually sitting in front of the device. With RDP, for instance, you could use your home Windows PC to access your work computer and perform the same tasks on it that you would at work.
Organizations often enable remote access to devices so support staff can access them to troubleshoot issues and fix problems without needing to physically touch the systems. While the feature can be useful, many organizations fail to properly secure accounts that have access to Remote Desktop, for example by not requiring strong passwords, not enabling network level authentication, and by not limiting users who can login via Remote Desktop.
"Many companies typically leave RDP enabled by default," says Joseph Carson, chief security scientist at Thycotic, a provider of privileged account management tools. Though the service often provides administrator level access to systems, the only security control protecting it is usually a simple password, he says.
Attackers using brute force methods and rainbow tables are often able to crack these passwords and thus gain full access to the system for stealing sensitive data, dropping malware, data poisoning and other malicious activities. "It is quite easy to find these systems online by scanning [for] internet connected devices that have RDP enabled," Carson says.
Attackers can also simply buy the passwords from other criminals who have previously cracked them. Numerous dark web marketplaces have sprung up in recent years that sell access to compromised RDP servers for as little as $3. Security vendors McAfee and Flashpoint reported on one such shop called Ultimate Anonymity Service (UAS), which sells passwords for accessing between 35,000 and 40,000 RDP servers worldwide, including those belonging to government, healthcare and other major organizations.
"There is a clear trend toward the automation of targeting RDP servers via brute forcing software and tools designed to allow large numbers of servers to be controlled simultaneously," says Luke Rodeheffer, senior analyst at Flashpoint. Access to the servers is then sold on cybercriminal marketplaces, searchable by the type of dedicated server and geolocation.
To mitigate your exposure to RDP borne attacks considering implementing the following measures says Rodeheffer and others.
1. Use strong passwords
Always use strong username and passwords for RDP access. Long, secure passphrases are a particularly good idea, says Chet Wisniewski, principal research scientist at Sophos. Enable two-factor authentication, especially for administrative accounts and always hide access behind a VPN.
"Never expose remote access tools directly on the internet," Wisniewski says. "While it is slightly less convenient, it isn't too much to ask of your administrative users to trade a small inconvenience—like a VPN—for the benefit of not driving into work at 3 a.m. when there is a problem."
Merely changing login credentials from the default “admin/administrator” can significantly slow down a brute force attack.
2. Implement role-based access restrictions
Organizations need to limit the number of users that have administrator access to RDP consoles. Also limit the privileges of the users that have such access. "Granular role-based access control will help minimize the damage that attackers can cause after gaining entry," Bhargava from Demisto says.
3. Enable Network Level Authentication (NLA) for RDP
Network Level Authentication offers an extra layer of protection. When it is enabled, a user attempting to connect to a remote system via RDP will need to authenticate their identity first before a session is established. "Do not disable Network Level Authentication as it offers an extra authentication level," Arntz says. "Enable it, if it wasn’t already."
4. Change the RDP port
Services like Shodan make it easy for attackers to find internet-exposed systems running RDP. Changing your RDP port ensures that port-scanners looking for open RDP ports will miss yours, says Pieter Arntz, lead intelligence reporter at Malwarebytes. "By default, the server listens on port 3389 for both TCP and UDP," he says.
At the same time, organizations should be aware that software targeting RDP servers these days are not just targeting RDP port 3389 but non-standard ports as well, cautions Rodeheffer from Flashpoint. So it is vital to keep an eye out for brute-forcing activity targeting RDP ports in your network logs.
5. Keep track of your RDP servers
Know what systems in your environment have RDP enabled. Make sure there are no rogue or unsanctioned RDP servers on your network, especially anything that is directly connected to the internet. Consider enabling logging and monitoring on RDP server logs so you know who is accessing them, says Jacob Sendowski, senior product manager at automated threat management provider Vectra.
Monitoring RDP network traffic for unusual access, unusual connections and session characteristics can help enable visibility into any misuse of your RDP services, Sendowski says.
6. Use an RDP gateway
RDP gateways are typically installed inside the corporate network. The function of a gateway is to securely pass traffic to and from a remote client to a local device. It can help organizations ensure that only authorized users can use RDP and to control the devices to which they have access. Using an RDP gateway can prevent or minimize remote user access and give organizations greater control over user roles, access privileges, and authentication requirements, Bhargava says.
RDP session logs from these systems can prove especially useful if something happens and you are trying to figure out what might have caused it. Because the logs are not on the compromised machine, attackers cannot modify them easily, Arntz adds.
7. Be prepared to respond to early symptoms
You need to have mechanisms for spotting an RDP attack and stopping it quickly. For example, consider implementing security tools that can spot repeated login attempts to an RDP system. Have an automated playbook for quickly authenticating the user attempting to login and their IP location and a mechanism for shutting down access if malicious intent is detected, Bhargava notes.
"Organizations need to be aware that attackers will be targeting their RDP infrastructure, not only for opportunistic attacks like installing ransomware and cryptominers but also as a part of targeted attacks," Sendowski says. "RDP is a great tool for remote access, both for authorized employee use and for cyber-attackers."