Threat actors put various cloud “tools” — resources like account information and application access — for sale on dark web markets that provide access for conducting follow-up attacks. But none of those utilities compare in popularity to Remote Desktop Protocol (RDP) accounts. They represent more than 70% of cloud resources available for sale on underground web marketplaces, according to a recent analysis. As such, RDP accounts are more pervasive on the dark web than regular cloud accounts.
These findings raise the following questions: How did we get here? What’s at stake for those at risk?
2020’s Remote Work Shift Created an Opening
Many companies opted to transition their employees to a work-from-home model during 2020. Their interest in RDP grew in the process. Arctic Wolf observed that IT and security teams’ interest in using RDP to manage employees’ remote laptops increased 62% between March and April of 2020, for instance. RDP gave that personnel a way to troubleshoot and provide device support in spite of having rapidly shifted to a new model of work. In the process, the technology helped countless companies continue to drive their business priorities forward.
The problem is that there are multiple security issues with RDP. In 2020, internet-connected device search engine Shodan noted that the number of devices exposing RDP to the web had grown between February and March of that year. That’s not the first time exposed RDP instances grew. They followed this same behavior after Microsoft published its bulletin on BlueKeep (CVE-2019-0708), an RDP vulnerability that requires no user interaction and occurs prior to authentication, back in May 2019. It was several months later when Bleeping Computer wrote that digital attackers were using BlueKeep to infect vulnerable Windows machines with Monero cryptominers. That said, the opposite occurred in August 2019 after a series of RDP issues collectively known as “DejaBlue” made the news.
As of November 2020, 245,000 Windows systems were still vulnerable to attacks leveraging BlueKeep. That’s approximately a quarter of the 950,000 systems first discovered to be vulnerable to the security issue, as ZDNet wrote at the time.
What’s at Stake for Companies
Many security teams take a set-it-and-forget-it posture with RDP by leaving it exposed on a common port that’s open to the Internet. Malicious actors abuse this by searching for vulnerable machines online. They don’t do so manually. On the contrary, the Cybersecurity and Infrastructure Security Agency (CISA) noted that attackers commonly turn to tools like Shodan to discover potentially vulnerable RDP accounts. Those attackers can then go after the vulnerable machines and use them to gain remote access to their target’s network. From there, it’s simple to hijack accounts, move laterally and steal sensitive information.
Along those same lines, digital attackers can use exposed RDP instances to deploy ransomware. In fact, RDP is the most common delivery vector for these threat actors, ZDNet reported. Back in August 2020, for example, three separate security firms determined RDP to be the most pervasive intrusion vector and source of ransomware attacks in 2020. Ransomware actors began turning toward RDP and away from other common delivery vectors like email when they embraced “big game hunting” in 2018. That methodology de-emphasized attacks against individual users and highlighted efforts to encrypt the information of large enterprises.
Such ease of use for attackers explains why the security community witnessed a surge of interest among malicious actors for RDP connections in early 2020. According to PR Newswire, attackers’ interest in RDP servers grew 30% in March of that year. It’s no wonder then that Infosecurity Magazine documented a 768% increase in RDP attacks between the first and final quarters of 2020.
Best Practices for RDP Security
The findings discussed above highlight the need for organizations to secure their RDP instances. A big part of this involves using vulnerability management to address security gaps like BlueKeep that continue to affect this protocol. Toward that end, security teams need to establish an inventory of all their hardware and software assets including Windows machines with RDP exposed. If they don’t, they could fail to account for all the RDP instances that are running in their environment. Such oversight would prevent IT and security teams from developing a complete picture of the digital threats facing their team. Without that visibility, they can’t prioritize known vulnerabilities, and they can’t develop a patching schedule that takes all those different risks into account.
Security teams then need to follow best practices to defend their machines with RDP connections. After they’ve allowed RDP access on the Windows firewall, infosec personnel need to think carefully before opting to broaden access beyond the local area network and making it accessible via the web. If they choose to open up an RDP instance to the internet, they should specifically think about not keeping the RDP to 3389, the protocol’s default port. Malicious actors are familiar with this port, and they have crafted their attacks around using it to infiltrate a targeted organization’s network. With that said, security teams can consider changing the default port to something lesser-known.
But that’s only security through obscurity. It’s making it more difficult for port scanners to arrive upon an exposed RDP instance, for instance. It won’t necessarily prevent discovery, and it certainly won’t prevent a compromise. Acknowledging that, infosec personnel can take additional steps to defend against potential hacking attempts. They can do so by changing the password used for RDP access to something strong, complex and unique. In particular, they can change that password to something besides “administrator”, “admin” or any of the other common passwords used with 1.3 million hacked RDP servers, as explained by Bleeping Computer in April 2021. When coupled with multifactor authentication (MFA), security teams can use this step to prevent threat actors from gaining access to RDP instances using brute-force techniques and other automated attack attempts.
Finally, infosec personnel needs to consider whether it’s necessary to have RDP enabled on their systems. This process might involve disabling RDP on some machines while leaving it open on others. It might also involve turning to another remote access solution entirely. Either way, security teams can help reduce their organization’s attack surface by disabling services they don’t need.
David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Trip...