Ransomware’s Favorite Access Point - Remote Desktop Protocol (RDP)
This is a guest post from Coveware on the security risks of ransomware, RDP breaches and brute-force attacks.
Ransomware has been making steady headlines in 2018, most notably in the latest attacks on the City of Atlanta. Some of the most devastating attacks are claimed by ransomware variants such as Dharma and SamSam that are installed directly by online attackers after compromising a company’s Remote Desktop Protocol (RDP) ports.
These access points are either weakly secured or entirely unsecured and easily hacked via brute-force attacks, allowing attackers to upload ransomware to specific locations within a targeted company’s systems. Given the high proportion of ransomware attacks that begin with compromised RDP access, raising awareness of this vulnerability is critical.
In Q3 of 2018, Coveware estimated that over 80 percent of the cases it handled started with an RDP breach. In this post, we will look more closely at aspects of RDP that make it such an effective attack vector and how organizations should approach its security.
The History of RDP
RDP dates back to the early 1990s and the release of Windows NT (New Technology) 4.0. The functionality allowed IT service providers to work on any system within the network from their location. At the time, this dramatically lowered the cost and complexity of troubleshooting support issues. It also gave a generation of managed service providers a new tool to avoid costly on-site client visits, and enabled the industry to scale the services they offered.
Like most conveniences, however, RDP had its weaknesses - the most serious being that it created a new vector to launch an attack. Importantly, the ability to access a network via RDP sidesteps endpoint protection, making lateral proliferation between endpoints, partitioned networks and backup systems much easier to accomplish.
Attackers can breach RDP via a few different methods:
- By using port scanning via websites like Shodan and then subsequently brute-forcing RDP sessions until credentials are compromised.
- Purchasing and using brute-forced credentials for sale on sites like XDedic.
- Phishing an employee of the company to gain access and control of their machine. Then using that access to brute-force RDP access from inside the network.
There are tens of thousands of corporate RDP credentials available for sale for as little as $3 on dark web marketplaces. The wide availability of hacked RDP credentials is low-hanging fruit for cyber criminals looking to launch ransomware attacks.
While plenty of large organizations continue to leave this vector unsecured, smaller companies are equally complacent. Most assume they are too small to be targeted, and don’t appreciate just how easily targeted they are. Many also lack the resources, people or knowledge of how to properly secure access.
Another important point is that even in the absence of malware, ransomware or evidence of exfiltrated data, the presence of RDP credentials to a company’s network on a dark market is evidence of a prior breach.
If ransomware like Dharma or SamSam strikes, it's likely the second of two breaches that occurred, with the first being the compromise of RDP access credentials that were subsequently sold to the attacker. Under certain regulatory frameworks, both of these breaches would be reportable events.
The Attack Vector
The public and lateral access enabled by RDP allows ransomware to spread across a multitude of devices from individual machines, servers and backup systems.
Additionally, RDP can be exploited by attackers that elevate local login permissions of an account to allow for the creation of RDP sessions, as well as the ability to access and execute applications, after gaining initial access. Using executables, an attacker can gain control of the command prompt on a targeted system, giving them access to download ransomware.
In order to secure RDP, companies should consider a combination of preventative, reactive and recovery-focused measures:
- Two-factor authentication (2FA): The vast majority of corporate ransomware attacks could be thwarted by enabling two-factor authentication on remote sessions and all remotely-accessible accounts - learn more about 2FA for RDP.
- Limit access: Limit access by putting RDP behind a firewall, using a VPN to access it, changing the default port, and/or allowing access by a select whitelist of IP ranges can help mitigate the risk of compromise.
- Endpoint & alternative solutions: Today’s endpoint solutions can detect anomalies in network usage (such as an in-office workstation attempting an RDP session) and stop them before damage is done. 4. Additionally, there are several new products that offer alternatives for remote access that are more secure.
- Disaster Recovery (DR) & Incident Response (IR): Should RDP configurations become compromised, it’s critical that a company’s DR and IR plans be codified and up to date. Backup systems should have up-to-date versions of all data accessible on-premises, in the cloud and on systems located separately from the corporate network. IR firms should be kept on retainer to minimize costs and time to recover in the event of a breach.
The risks created by RDP are immense and can have disastrous outcomes if not managed. Every organization, large and small, should heavily prioritize securing their RDP access to avoid ransomware infection, a data breach or compromise, loss of data and more.
The Coveware Community combats ransomware by enabling managed service providers (MSPs) to offer proactive solutions to new and existing clients and was recently named by CRN as a 2018 Emerging Vendor in the Security.