RDP Exploits on the Rise: Tips for Mitigating Your Exposure
Malicious actors continue to exploit Remote Desktop Protocol (RDP), a Microsoft Windows application widely used by businesses, to gain access to the target’s computer. This article, which follows on from a previous post, aims to look at some of the risks allowing RDP unchecked in your environment can create, along with some techniques that can help to mitigate the risk of it being used illegitimately by a malicious actor.
If you are not actively using RDP or any service, then we would always recommend disabling the service and closing any open ports which could be accessible as a result of the service.
Last month (May 2019), Microsoft issued security updates for a critical Remote Code Execution vulnerability in Remote Desktop Services. Successful exploitation of this vulnerability would allow an attacker to install programs; view, change, or delete data; or create new accounts with full user rights. As a testament to its potential for havoc, patches were extended to unsupported versions of Windows due to fears that exploitation could lead to a global computer virus outbreak, like 2017’s WannaCry worm.
What is RDP?
RDP or Remote Desktop Protocol is a tool which can be used to connect to another device either on the same network remotely or to allow for devices to connect into your network.
From an external perspective, RDP provides a tempting target for an attacker to gain access to a network, along with a ready-made vector to spread laterally through the network using Active Directory (AD) credentials used to access the original login.
Should external access to an RDS (Remote Desktop Server) be required for remote access, then other precautions should be taken such as Multi-Factor Authentication (MFA) on user accounts, only allow for RDP from inside the network, and provide staff Virtual Private Network (VPN) access to enable the user to join the internal network before loading an RDP session.
According to GreyNoise.io (which looks at the background noise of the internet to determine what types of attack are occurring and from where), their thousands of scanners from across the globe, and looking at shodan.io these scanners have a plethora of targets. So other than the designed use of connecting to a remote system, RDP can be used by an attacker to spy on users without their knowledge.
RDP Attack Methodologies
Malicious actors can gain higher permission levels with greater access to the network systems by attacking an employee connected to an infected computer inside the corporate network. The computer may have become infected with malware following the interaction with a phishing email (or alternative social engineering method), and the opening of a malicious payload attachment.
Weak passwords, old versions with inadequate encryption mechanisms, security flaws and misconfigurations, can leave RDP vulnerable to attacks, such as man-in-the-middle attacks; encryption attacks; transport layer security authentication; and denial-of-service (DNS).
Locating an open RDP gateway can either be done actively from an attacker using a port scanner such as NMAP, or by open source intelligence platforms which collect and share data such as Shodan or Censys. When we are looking at Shodan, we can see how many open RDP services are running on port 3389, and the approximate operating system which they are running.
Source – shodan.io.
So, if the above are potential targets it is possible to drill down to see individual targets.
This shows how easy it can be to gather intelligence on a target to attack, therefore, the next logical route is to see if this vector is being attacked. GreyNoise’s Visualizer reveals a snapshot of the magnitude of attacks throughout the world; the graphic below focuses purely on scanners targeting RDP.
Source – GreyNoise.
There are several ways in which scanners can be mitigated, such as a pre-authentication – VPN’s to remove RDP from external access. Once the user has logged in, then there are also mechanisms such as MFA challenges to ensure the user is legitimate. Alternatively, turning off RDP if it is not required.
This is where a third party can access an active RDP session, and to this date, it can be used on Microsoft 2016 and 2012. RDP shadow permissions can be inspected from the value applied to the Shadow key contained within Terminal Services (full path HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services) where the permissions are as follows:
- 0 – No remote control allowed
- 1 – Full control with users permission
- 2 – Full control without users permission
- 3 – View with users permission
- 4 – View without users permission
Full instructions can be found on popular blog, Windows OS Hub.
Using MSTCS executable with the /shadow option in conjunction with quser to locate sessions allows an attacker to query an open session and allow for a control session, with full compromise of the device. This is a perfect example of Living off the Land, where attackers will use tools that exist in a system.
Establishing a Security Baseline for Remote Desktop Protocol
Risk-based audits help organisations establish a security baseline. Organisations should begin by securing their RDP by restricting access using firewalls and by enabling Network Level Authentication. Then, by changing the listening port for Remote Desktop; and limiting users who can log in using Remote Desktop through role-based access controls, organisations can facilitate tracking network intrusions or dubious activities when auditing risk.
You can identify which systems have RDP enabled when it’s been used and who it’s been used by. In the majority of organisations, you’d only expect IT admins to use it for providing support and accessing servers.
Jeremy Hughes, Cyber Security Engineer at Secrutiny, expands: “I recommend enforcing policy and guidelines around RDP use as a business function. Once you have your internal users following this with clear cut policies the output from audits/alerting frameworks, like those we provide in our Cyber Risk Audit (CRA), can be interpreted correctly and compensating controls tightened to become increasingly effective.”
Auditing of exceptions should be made, either through risk-based auditing such as Secrutiny’s Cyber Risk Audit, or compensating controls. RDP tunnelling, if not picked up by AV, software firewall or hardware firewall policies, will be captured within a CRA as long as the historic evidence hasn’t been cleared – you would expect it to be blocked, or at the very least alerted to. CRAs should also pick up policy violations to do with any network segmentation in place, evidencing connections between clients where possible, and live augmentation of data should catch RDP activity of a normal user account if it has been taken over by a malicious actor through user behavioural analytics.
When it comes to detection techniques, fellow Cyber Security Engineer at Secrutiny, Wes Schinkel highlights that it’s “very easy” to find systems with RDP enabled; a quick port scan identifies systems and which version of the protocol they’re running (Google Nmap RDP).
Auditing also ensures compliance with legal and regulatory requirements, determines an organisation’s security posture, substantiates that internal controls are functioning as expected and effectively catching increased risk or susceptibility to attack and develops a strategic plan moving forward.
Organisations shouldn’t wait until a breach to conduct an audit; periodic checks initiate a security baseline against which organisations can assess progress and analyse their findings. At Secrutiny, nearly every client we have audited has RDP on by default and is always listening for an RDP signal, whether they have one, two or MFA enabled, unless the tool is needed, we recommend turning it off.
With the majority of IT breaches coming as a result of human error, an organisation’s network security policy should serve as the foundations of its cyber security. While established policies and standards provide guidelines to determine the level of risk within an organisation, alongside explanations of their security impact.
As stated in the introduction, RDP provided a ready-made attack surface which can be exploited to move laterally across the network an exfiltrate data, hence if you are not using it then turn it off. Otherwise, assess what setting is required for RDP and look into mitigation controls which can be put in place to restrict an attacker’s success should they compromise a domain account.
Furthermore, with breaches and vulnerabilities going undiscovered for days to years, the importance of detecting and preparing for the unknown through the implementation of anomaly detection alerts is clear to see. While establishing and maintaining a security baseline will be a continuous effort requiring the support of several departments, it will strengthen the organisation’s overall computer security and provide a secure starting point for an operating system.
Check Out Our Other Recent Posts >
Last month we had the opportunity to be a part of Securing the Law Firm 2019 with an Education Seminar centred around best-practice for constructing SOC-as-a-Service (SOCaaS), so you know you can get value; here’s the low-down.
Is Broadcom about to shake up the Symantec enterprise following its acquisition or does this kick start the end of the line for Symantec.
Secrutiny is hosting an intimate breakfast briefing for cyber security leaders in London on Thursday, 28th November. Join us to discover how, with a bit of extension and instrumentation, the ecosystem of controls that you already have can form the basis of an evidential, prioritised cyber risk management programme. Learn more and register…