The Remote Desktop Protocol (RDP) is one of the most popular communication protocols for remotely controlling systems. RDP comes with all current Windows operating systems, and its graphical user interface makes it an easy-to-use remote access tool. In addition, Microsoft positions it as the default method to manage Azure virtual machines running Windows.
 
It didn’t take long before attackers realized this is a golden egg. Instead of attempting to abuse a vulnerability with no guaranteed success, they realized it’s far more efficient to use the remote access tools there for the taking. They just need to obtain the correct credentials to gain access. As it happens, according to a recent X-Force report, stolen credentials to access these systems are part of a lucrative market on the dark web.
 
These directly exposed servers are not the only systems where attackers use (or rather abuse) RDP. One of their objectives is to blend in with regular traffic. Because RDP is such a popular protocol, attackers use it to move to other systems once they gained access.

What Is RDP and Who Uses It?

Before we jump to RDP risks and defenses, it’s good to know how it works. RDP is a two-way communication protocol. It can:
  • Transfer the screen output of the server to the client
  • Transfer the keyboard and mouse input from the client to the server.
This process is asymmetric. While most of the data comes from the server to the client, the client transfers little data back. The client and the server have to go through a number of phases before setting up communication. After a client starts the connection, it agrees with the server on usage settings (for example, screen resolution), supported capabilities and license information. They then agree on the type of RDP security, choosing from two supported modes:
  • Standard, based on RC4
  • Enhanced, where RDP relies on other protocols such as TLS or CredSSP.

Finally, they have to agree on the number of channels required. Channels are individual data streams, each with their own ID, that make up the remote desktop protocol. Such channels can redirect access to the file system or enable clipboard sharing between client and server.

Vulnerabilities in RDP: BlueKeep

Researchers in 2019 found a crucial vulnerability, dubbed BlueKeep, in this concept of channels. Exploiting the vulnerability (CVE-2019-0708) leads to the remote execution of random code, without any user doing anything. On top of that, it did not require valid credentials. These facts combined could have led to a worm, malware that can propagate itself between vulnerable systems. We witnessed something like this earlier with the WannaCry malware.

To exploit the vulnerability, the client had to request a specific channel name, MS_T120, and then bind it to a channel ID other than 31.

What’s notable about BlueKeep is it attached itself to older Windows systems. This forced Microsoft to take the odd step of making new patches for systems it no longer supported.

Other Luring Vulnerabilities

In August 2019, researchers announced DejaBlue. DejaBlue is not one vulnerability but a list of flaws that, similar to BlueKeep, allow attackers to hijack vulnerable systems without any form of authentication. Unlike BlueKeep, the vulnerabilities of DejaBlue were located in more recent versions of Windows.

Sometimes, attackers do not need to abuse vulnerabilities. They can simply abuse misconfigurations. Some of the common pitfalls with RDP security include:

  • Weak user sign-in credentials
  • Servers where you’re not logging or monitoring RDP logins. These systems allow attackers to attempt brute-force or password spraying attacks at will.
  • Publicly exposed systems without any network filtering.

APT Groups Using RDP

We can also look at MITRE ATT&CK to understand the interest of attackers in RDP and how it is used in their operations.

  • Groups such as APT41, FIN6 and FIN7 use RDP to move laterally
  • Groups such as FLIPSIDE use RDP to exfiltrate information. Ngrok, for example, is a legitimate reverse proxy that can tunnel traffic in RDP to exfiltrate victim data.
  • The WannaCry malware could execute malware in existing remote desktop sessions. This ‘stealing‘ of a session is commonly referred to as RDP hijacking. 

Countermeasures

Despite these risks and the interest of attackers, RDP still has a lot of value to offer. There are a number of key elements to consider to protect remote desktop servers.

Patch management is a dead give-away. Keeping your systems up-to-date is always good advice, especially for crucial remote access services.

In most cases, you don’t need to expose RDP to the whole world. You can use a firewall, IP restrictions, limit access via a VPN or use just-in-time-access. The latter greatly reduces the risk and still lets you access the service when you need it.

Ensure that you do not use easy-to-guess passwords for RDP-enabled accounts. Don’t allow remote access to all system users if they don’t need it. In addition, it makes sense to implement some form of automatic account lock-out, preventing attackers from guessing the password via brute-forcing.

You may also want to enable Network Level Authentication or NLA, a mitigation measure to prevent unwanted access to the RDP tunnel.

Monitoring and Forensic Artifacts

Regardless of how secure you make the RDP setup, there will always be a time when attackers attempt to abuse it. That’s when you should rely on logging and monitoring to analyze what is going on. Some of the important sources of forensic artifacts for RDP include:

  • The commands quser, qwinsta and qprocess that give information on RDP users, sessions and processes
  • Microsoft-Windows-Terminal-Services-RemoteConnectionManager and Windows-TerminalServices-LocalSessionManager inform you on client network connections and the start and stop of RDP sessions
  • And finally, Microsoft-Windows-Security-Auditing includes the events for successful or failed authentication attempts.

Manage RDP Risks for Safe Use 

Although there are risks that come with RDP and high interest from attackers in remote access tools, it doesn’t mean you cannot deploy them in a safe and controlled manner. If you take into account the preventive measures and set up sufficient logging and monitoring, you should be good to go.

More from Incident Response

How I got started: Incident responder

3 min read - As a cybersecurity incident responder, life can go from chill to chaos in seconds. What is it about being an incident responder that makes people want to step up for this crucial cybersecurity role?With our How I Got Started series, we learn from experts in their field and find out how they got started and what advice they have for anyone looking to get into the field.In this Q&A, we spoke with IBM’s own Dave Bales, co-lead X-Force Incident Command…

How Paris Olympic authorities battled cyberattacks, and won gold

3 min read - The Olympic Games Paris 2024 was by most accounts a highly successful Olympics. Some 10,000 athletes from 204 nations competed in 329 events over 16 days. But before and during the event, authorities battled Olympic-size cybersecurity threats coming from multiple directions.In preparation for expected attacks, authorities took several proactive measures to ensure the security of the event.Cyber vigilance programThe Paris 2024 Olympics implemented advanced threat intelligence, real-time threat monitoring and incident response expertise. This program aimed to prepare Olympic-facing organizations…

How CIRCIA is changing crisis communication

3 min read - Read the previous article in this series, PR vs cybersecurity teams: Handling disagreements in a crisis. When the Colonial Pipeline attack happened a few years ago, widespread panic and long lines at the gas pump were the result — partly due to a lack of reliable information. The attack raised the alarm about serious threats to critical infrastructure and what could happen in the aftermath. In response to this and other high-profile cyberattacks, Congress passed the Cyber Incident Reporting for Critical…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today