In recent months, organizations across every sector have come to rely heavily on Remote Desktop Protocol (RDP) to maintain business continuity while respecting social distancing.
However, the rapid shift to remote working has also provided a unique opportunity for ransomware groups. Threat actors predicted that many organizations would not have the time or resources to securely implement RDP during the mass transition to working from home and, as a result, may be vulnerable to compromise.
They were right. The number of Internet-exposed RDP ports grew from approximately 3 million in January 2020 to more than 4.5 million in March, according to a McAfee report.
In this blog post, we will discuss why threat actors use RDP to deploy malware, how our solutions protect users against RDP brute-force attacks and best practices for mitigating RDP-based threats.
What is RDP?
RDP is a network communications protocol developed by Microsoft. Available for most Windows operating systems, it provides a graphical interface that enables users to connect remotely to a server or another computer. RDP transmits the display of the remote server to the client and the input of peripherals (such as keyboard and mouse) from the client to the remote server, effectively allowing users to control a remote computer as though they were operating it in person.
RDP is typically used in a business environment to allow end users to remotely access files and applications stored on the organization’s local network. Administrators also commonly use RDP to remotely diagnose and resolve technical problems with end users’ devices.
How attackers use RDP to deploy malware
RDP is generally regarded as a safe and secure tool when used within a private network. However, serious problems may arise when RDP ports are left open to the Internet because it allows anyone to attempt to connect to the remote server. If the connection is successful, the attacker gains access to the server and can do anything within the hacked account’s privilege limits.
This is not a new threat, but the global shift to remote working has underscored the fact that many organizations do not adequately secure RDP – and threat actors are taking advantage. At the start of March 2020, there were about 200,000 daily brute-force RDP attacks in the U.S, according to a Kaspersky report. By mid-April, this number had ballooned to almost 1.3 million. Today, RDP is regarded as the single biggest attack vector for ransomware.
RDP can be exploited in various ways. The incidents we have observed recently mostly rely on hacking Internet-exposed RDP systems. The process typically looks something like this:
- Scan for exposed RDP ports: The attacker uses free, simple-to-use port-scanning tools such as Shodan to scan the entire Internet for exposed RDP ports.
- Attempt to log in: The attacker tries to gain access to the system (typically as an administrator) using stolen credentials that can be purchased on the black market, or more commonly, brute-force tools that systematically attempt to login using every possible character combination until the correct username and password are found.
- Disable security systems: Once the attacker has gained access to the target system, they focus on making the network as insecure as possible. Depending on the privileges of the compromised account, this might involve disabling antivirus software, deleting backups and changing configuration settings that are usually locked down.
- Deliver the payload: After security systems have been disabled and the network is suitably vulnerable, the payload is delivered. This might involve installing ransomware on the network, deploying keyloggers, using compromised machines to distribute spam, stealing sensitive data, or installing backdoors that can be used for future attacks.
How Emsisoft helps protect against RDP-based attacks
In July 2020, we introduced a new security feature to help protect our users against RDP-based attacks.
Our solutions for both home users and businesses now monitor the status of the RDP service in real-time. If multiple failed login attempts are detected, our software triggers an alert to administrators via Emsisoft Management Console, who can then decide whether to disable RDP on the affected device.
RDP service status can be viewed within the Emsisoft Management Console, allowing administrators to see at a glance if RDP is enabled on a particular device.
Best practices for securing RDP
RDP should always be disabled unless it is necessary. For organizations that require RDP, the following best practices may be useful for securing RDP against brute-force attacks.
- Use a VPN: As noted, serious security risks arise when RDP is open to the Internet. Instead, organizations should use a VPN to allow remote users to securely access the corporate network without exposing their systems to the entire Internet.
- Use strong passwords: Most RDP-based attacks rely on cracking weak credentials. As such, organizations must enforce the use of strong passwords on all RDP client and server terminals. Passwords should be long, unique and random.
- Use multi-factor authentication: Even the strongest passwords can be compromised. While not infallible, multi-factor authentication (MFA) offers an extra layer of protection by requiring users to provide at least two forms of authentication (such as a one-time-use code or biometric notification) to log in to an RDP session.
- Use a firewall to limit access: A firewall can be used to limit RDP access to a specific IP address or range of IP addresses.
- Use an RD gateway: An RD gateway server, a feature available on all versions of Windows Server since Windows Server 2008, is extremely useful for simplifying RDP deployment and security management.
- Block IPs that fail multiple login attempts: A high number of failed login attempts in a short period of time usually indicates a brute-force attack. Windows Account Policies can be used to define and limit the number of times a user can attempt to login to RDP. Emsisoft protection software automatically alerts administrators when it detects multiple failed login attempts.
- Restrict remote access: While all administrators can use RDP by default, there’s a good chance that many of these users do not need remote access to do their job. Organizations should always abide by the principle of least privilege and restrict RDP access to only those who genuinely require it.
- Change the RDP listening port: Attackers typically identify potential targets by scanning the Internet for computers listening on the default RDP port (TCP 3389). While changing the listening port via Windows Registry can help organizations “hide” vulnerable connections, it does not provide protection against RDP attacks and should, therefore, be used only as a supplementary technique.
The sudden transition to working from home has seen a surge in the number of Internet-exposed RDP servers – and cybercriminals are seeking to capitalize on the opportunity.
Taking a proactive approach to RDP security allows organizations to safely leverage the power of remote working while minimizing their exposure to RDP-based threats.