Remote access channels are one of the preferred attack vectors for criminals trying to obtain access to organizations’ internal networks. Recently, various vulnerabilities in enterprise VPNs were exploited in the wild during attack campaigns by malicious actors and nation-states.
Attacks on exposed remote desktop protocols (RDP) are no news either. Such attacks have been making headlines for several years now. The attack mechanism is grossly known and various exploits are published from time to time, making the exploitation easy.
The unprecedented surge in remote work due to the COVID-19 pandemic has led to an increase in RDP usage. As a side effect of the need to provide remote access quickly and at scale, many RDPs are being misconfigured and left exposed to the internet.
At the time of writing this article, Reposify’s external attack surface management platform has detected more than 4.7 million RDPs that are exposed to the internet and are at risk of potential attacks. On some days there was 127% increase in exposed RDPs.
When examining the organizations that own the IPs with exposed RDP endpoints, things become clearer. The vast majority of these organizations are well known cloud, virtual, or physical hosting providers where remote access to a Windows machine is a frequent necessity.
This is not surprising that most of the exposed RDPs are hosted in the cloud given the fact that IT teams have much less visibility when it comes to their cloud assets. Users from various departments within an organization are able to set up RDP instances in the cloud without IT teams’ awareness, something which is unlikely to happen in cases of RDPs in internal networks,where there are firewalls and stricter procedures.
A chronicle of a cyber-attack foretold
It all starts with a RDP which is left exposed to the internet (typically on port 3389). It can be easily detected by hackers using online port scanners in search for unsecured RDP services. Once found, attackers can pick and choose between buying stolen RDP login credentials on darknet marketplaces, leverage an abundance of login brute-forcing tools to crack it open or using known exploits from the wild such as BlueKeep and other vulnerabilities.
Once in, the damages that attackers can cause vary based on their goals but one thing is sure, they can easily gain access to the entire internal network of the target organization.
Microsoft recently published a blog about the PARINACOTA group, which is currently active and typically brute forces its way into servers that have Remote Desktop Protocol exposed to the internet affecting between three to four organizations every week with. Last year approximately 1.5 million exposed Remote Desktop Protocol servers were attacked by a botnet named GoldBrute which also used brute-force methods.
And the cost? a steep one. In 2018, Hancock Health hospital was forced to pay over $50K in ransom to regain access to critical data that was encrypted after the hospital server running RDP services was compromised and used as an entry point into the internal network.
A recent breach-briefing report published by Beazley Group indicates that poorly secured remote desktop protocols are one of the two most common attack vectors through which ransomware is deployed, the other one being phishing emails. This finding is not surprising given the long chain of ransomware discovered in recent years using RDP as the infection vector including SAMSAM, Dharma, Matrix, Bitpaymer, Ryuk, Crysis, Nemty and the newly discovered Nefilim which seems to also be spreading mostly thought exposed RDPs.
So when the risks are known and the stakes are high, how come so many RDPs are still left exposed to the internet?
There are many reasons which can lead to a RDP becoming exposed to the public internet. In some cases, it may become accessible deliberately as attackers manage to convince unwary users to enable the RDP so that “remote support” can be provided. A more common reason is simply due to the fact that teams fail to properly secure their RDP services against unauthorized access. Here are a few examples that represent the daily reality in the vast majority of organizations:
Firewall rules can be created to limit Remote Desktop access for specific IP addresses. However, a simple error in the firewall configuration process can result in a RDP port becoming exposed to the internet. Another example of a configuration step which is not recommended is disabling the network-level authentication. Disabling it can result in the exposure of a RDP login and the risk of becoming vulnerable to BlueKeep.
RDP provides a quick and simple way for employees to access their desktops. Since the IP addresses of remote users change very often, many times, no white-listing of authorized users is done. In some cases, it is not feasible for IT teams to keep manually updating these frequent changes in IP addresses, especially now when most, if not all the employees are connecting from home.
RDPs set up by employees without IT teams’ awareness are another source of unwanted exposure. If Lauren from finance just opened a Remote Desktop Protocol to set up a connection to her work endpoint, IT will most likely have no idea about it. If no GPO was configured then each and every employee could potentially do so.
6 steps for reducing the risks of an attack on RDPs
- Ensure RDPs are not accessible from the internet. Block external connections to your servers on port 3389 on your organization's firewall.
- Access to RDP should be available solely via a virtual private network (VPN) and not from the open internet. In addition, the VPN should be protected by multi-factor authentication and users should be encouraged to use complex passwords to reduce the chance of successful brute-force attacks.
- Apply IP geolocation blocking on your VPNs gateways. IP addresses white-listing, can be added for specific admin users that are allowed to connect via RDP.
- Enable Network Level Authentication (NLA).
- If possible, consider placing RDP servers behind a DMZ or other restricted area of the network and limit the number of services which can be reached within the internal network.
- Change GPOs to define shorter timeouts sessions and the maximum amount of time any single session can be active.
RDP is a useful tool, especially now when the demand for remote access is higher than ever before, but too many organizations are leaving RDP exposed to the internet, making it susceptible to exploitation by malicious actors. It is crucial for organizations to gain visibility into which RDP servers they have running across all environments and whether they comply with the security guidelines.
Want to make sure you have complete visibility of all your organization’s RDPs? Sign up for a free reposify account and get instant visibility into all internet facing assets which are currently exposed. Discover exposed RDPs, unpatched vulnerable VPNs, exposed QA & Dev environments and many more uknonw risks.
Sign Up for the ATTACK SURFACE DIGEST
Get fresh data on common exposure, related CVEs & the weekly patch. Pure insight, delivered to your Inbox!