Enterprises have been experimenting with work from home policies for years. Unfortunately, that experiment suddenly became the default this spring as local and state governments across the U.S. issued “stay at home” orders, leaving tens of millions of employees working from home for the first time.
According to the CSO Pandemic Impact Survey, the number of employees working at least 60 percent of the time from home has increased five-fold since the institution of social and work restrictions. Overnight, organizations faced the urgent need to provide employees secure and reliable access to sensitive company resources, often via personal devices and over home Wi-Fi networks.
What’s worse: open RDP or close up shop?
The need to maintain business operations required some IT teams to open up remote desktop protocol (RDP) to quickly provide employees at home access to their computers in the office. In March, Shodan reported significant growth in RDP exposed to the Internet.
While virtual desktops that use RDP represent a lifeline to the office, they also present a new attack vector. Recently, Kaspersky observed a surge in RDP brute force attacks across the globe as hackers took advantage of new workloads, vulnerable VPN connections, and misconfigurations that left the gates to the network open.
Remote Desktop is an attractive target for attackers because it’s common in enterprise environments, provides remote access to a Windows device, and leaves credentials exposed in memory. Once a bad actor gains access to a device, it can be used for a variety of malicious activities capable of compromising not only that device, but devices and data across the entire network. What’s more, RDP is frequently used for administrative purposes, and administrators are likely to have access to a wide array of privileged systems.
For attackers, successfully compromising RDP can save a lot of time, giving them a level of access that makes it easier to rapidly infiltrate the network, move laterally within it, and continue to escalate privileges to gain further access. While RDP can help keep employees connected and businesses running, its vulnerabilities can lead to the exposure of customer data or dangerous and costly leaks that could shake brand confidence.
RDP is risky business
Below are some of the most prevalent malicious RDP activities and the associated risks that IT teams should be aware of when enabling RDP access.
Exploit: Brute force attacks on RDP are low-cost and easy to perform. Using tools like Ncrack or Hydra, an attacker can implement a brute force attack on RDP accounts to discover weak passwords or valid login credentials. Even though this type of brute force attack is noisy, it can be highly effective due to the prevalence of weak and repurposed passwords. An attacker could also perform a scan to find and exploit known vulnerabilities. With valid credentials, an attacker holds the key to opening multiple RDP sessions from a single device in order to gain control of numerous devices on the network.
One of the most famous examples of RDP exploits is that of BlueKeep (CVE-2019-0708), a well-known vulnerability in Microsoft’s RDP implementation. BlueKeep allows an unauthenticated attacker to remotely run arbitrary code on an RDP server to grant administrator access to a network-accessible Windows system—all without user credentials. An attacker could then tamper with data or automate the process by installing malware to propagate to other Windows devices. RDP is commonly enabled on devices, which increases the likelihood that this threat will have a significant effect or even grind business services to a halt.
Exfiltration: After gaining access to a device with a poorly secured RDP, an attacker can easily transfer data. Unusual data transfers might signal suspicious activity such as sharing malicious files between compromised devices or data staging (the process of collecting and preparing data for exfiltration). If important, proprietary, or customer data is leaked, the consequences can be devastating.
Command & Control: With Command and Control techniques, attackers can use RDP to gain access to a network. This typically occurs when devices outside of the network attempt or make connections with in-network Windows devices using compromised credentials. If the RDP connection is not authenticated, or if the attacker connects to a device with limited privileges, the impact to a business can be low. However, these activities should be examined before they facilitate critical and costly attacks.
Reconnaissance: Before adversaries can execute an attack, they have to find a weak spot they can use to access the network and gain a foothold. While this type of reconnaissance does not negatively affect network performance, attack tools make it easy to discover devices with active Remote Desktop sessions, helping an attacker pinpoint a number of Windows devices to target.
Minimize the risks of a necessary evil
The reality is that RDP is a convenient attack vector, particularly now that more employees use VPNs and virtual desktops to access corporate resources. There are practical steps IT teams can take to mitigate the risks that can make a vital difference between an attempted intrusion and a major breach.
First, practice good hygiene. Disable remote desktop services unless required and install relevant patches for any affected devices as quickly as possible. Be sure to track in real time which devices are active and connected so no devices are inadvertently missed. Review access controls to ensure that only approved users can connect to remote access services.
Next, put up roadblocks. Run the RDP connection through a VPN or remote desktop gateway where login attempts will undergo more scrutiny. Enforce strong passphrase rules and enable two-factor authentication on all RDP and VPN traffic. Do everything possible to prevent lateral movement if a bad actor does get inside. Implement micro-segmentation by adding secure zones based on the zero-trust security model, and partition network traffic with endpoint firewalls, virtual software-defined networks, or physical networks.
Finally, IT teams should only enable RDP access temporarily and should not consider it a long-term fix for remote access. Instead, organizations may want to evaluate alternatives such as distributing company-issued laptops or Desktop-as-a-Service (DaaS) solutions.
As the world adjusts to large-scale remote work, RDP enables agility when it’s absolutely necessary. However, with cybercriminals and APTs actively seeking to exploit the opportunity, IT teams must be fully aware of and work to mitigate the serious risks that the protocol introduces to the business.