One way organizations are enabling work-from-home during the COVID-19 pandemic is via Remote Desktop Protocol (RDP). RDP gives employees access to internal corporate resources remotely, like those sitting on Windows servers. This type of remote access also comes with huge exposures and vulnerabilities, giving rise to RDP attacks, especially those laced with ransomware.
This blog will walk through how RDP attacks play out in the cyber kill chain, reference recent research connecting RDP to ransomware attacks, and review mitigation techniques you can do to limit your exposure to and impact from these attacks.
RDP, yeah, you know me! Attacks are on the rise.
Remote Desktop Protocol ports are by design exposed on the Internet, mostly on port 3389. If you go to your start menu and type in remote you will probably see this, which is where you could connect to another server if they had RDP enabled.
This can be blocked via firewalls deployed through a GPO or layer it under admin VPN and MFA.
However, the rush to enable work-from-home during this pandemic left little time to add on the necessary security layers. A recent McAfee study found that RDP ports exposed on the Internet has skyrocketed from three million in January 2020 to four and a half million in March!1
Another survey by Atlas VPN found that RDP attacks have shot through the roof with over 148 million RDP attacks during lockdowns across the world.2
The anatomy of an RDP attack
Let’s take a look at the cyber kill chain, the steps cybercriminals take to attack a target, to identify how an RDP attack unfolds.
- Reconnaissance: First, the attackers scan for and identify RDP ports exposed on the Internet. Attackers will also look for those ports that have unpatched vulnerabilities, giving them a leg up in the exploitation phase.
- Intrusion: An actor uses password spraying, brute-force attack or a spear phishing attempt to gain entry. According to Atlas VPN survey, this type of attack seeking initial access increased across several pandemic lockdown countries (compared to pre-lockdown data): 428% in Italy, 237% in Germany, 170% in China, 524% in Spain, 316% in Russia, and 330% in the U.S. Attackers can also hijack legitimate Remote Desktop Protocol sessions.
- Exploitation: Once in, attackers can exploit very serious unpatched vulnerabilities, like CVE-2019-07083 which is wormable and allows for remote code execution (both highly desirable vulnerabilities for ransomware pirates). In this stage, bad actors will also deliver the payload like MAZE ransomware.4
- Privilege Escalation: In recent MAZE Ransomware incidents, investigators from FireEye have discovered that actors are using RDP attacks as a means to get in, gain a big foothold to infect more hosts and even exfiltrate data before activating the ransomware.4
- Lateral Movement: Piggy-backing on privilege escalation, criminals then gain more leverage by compromising additional systems with lateral movements made possible via RDP. Then they install Cobalt Strike BEACON payloads.4
- Obfuscation/Anti-forensics: What easier way to obfuscate your tracks than to encrypt everything, and for MAZE actors, this part is now happening AFTER the exfiltration of data (see below).
- Denial of Services: In line with obfuscation, running ransomware on an unpatched RDP server or machine with a wormable vulnerability can lead to a huge disruption of users and systems.
- Exfiltration: Part of the new approach of those using MAZE is to steal data before encrypting it (perhaps as a means to extort a payment – “pay up or the data goes public”).4 A plain old RDP attack for simple access will provide exfiltration possibilities too.
RDP attack mitigation techniques
Here are some suggestions for mitigating Remote Desktop Protocol Attacks as well as how to recover for those RDP ransomware attacks that are successful:
- Block RDP via a firewall deployed through a GPO. Going external to an internal network, typically a firewall would block this activity. Using a solution like GPOADmin can help configure and manage the GPO setting to lockdown RDP access;
- Layer RDP with VPN and multifactor authentication (MFA) so you are using RDP through an incoming server that is on that corporate network;
- Collect log information including remote logons;
- Lockout users with too many failed logon attempts (create these in GPO settings);
- Block source IPs in Windows Firewalls (automate this with In Trust, check out how in this blog)
- Reduce the number of local admins, make them unique and restrict the number of users who can logon using RDP;
- Implement a backup and disaster recovery plan for your files and your Active Directory (especially since many of these attacks target Windows Servers), Recovery Manager for Active Directory Disaster Recovery Edition can help here.
The last point is essential to having complete coverage. Sooner or later an attack will be successful, but putting in mitigation factors and having an insurance plan, like Active Directory Disaster Recovery, will limit the size and length of a successful attack.
Check out this Technical Brief that explains how today’s current work-from-home is increasing an organization’s Active Directory exposure to ransomware and other doomsday scenarios: With COVID-19, Active Directory is more vulnerable than ever. Be prepared with a doomsday disaster recovery plan.
Sources:
- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/cybercriminals-actively-exploiting-rdp-to-target-remote-organizations/
- https://atlasvpn.com/blog/rdp-attacks-surged-by-330-in-the-us-amid-pandemic/
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708
- https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html?fbclid=IwAR2z7aElnwauwqlhsuNwUzXjrCH5Bmqs0QBV1ainUdDHW4qPwy6PpVfbQe4