An RDP compromise provides a cybercriminal with a backdoor for ransomware and other types of malware, says security provider ESET.
The coronavirus lockdown has prompted a host of organizations to require their staffers to work from home. But many of those employees still need to remotely access computers in the office, which has triggered an increase in the use of programs that rely on Microsoft’s Remote Desktop Protocol (RDP). Of course, cybercriminals have pounced on this transition, which is why RDP is more exploitable than ever. A report published on Monday by ESET discusses how attackers take advantage of RDP and what organizations can do to combat them.
SEE: How to work from home: IT pro’s guidebook to telecommuting and remote work (TechRepublic Premium)
Though Remote Desktop Protocol can be enough of a security risk on its own, organizations often compound the vulnerabilities by failing to properly secure RDP accounts and services. Accounts with RDP privileges may have a weak password or no additional layers of security. Those flaws open the door for brute force attacks in which cybercriminals use automated tools to obtain the account password. If successful, the attackers can then invade a network, elevate their rights with administrative access, disable security products, and even run ransomware to encrypt critical data and hold it hostage.
However, ransomware and extortion aren’t the only types of attacks that can follow an RDP compromise, according to ESET. Often, attackers will try to install coin-mining malware or even create a backdoor, which can be then used if their unauthorized RDP access is ever identified and shut down.
Other actions performed by attackers following an RDP breach include clearing out log files to remove evidence of their activity, installing tools and malware on compromised machines, disabling or deleting scheduled backups, and exfiltrating data from the server.
ESET has seen a rise this year in reported RDP attacks from among its customers. From just under 30,000 reported attacks per day in December 2019, the volume has been hovering around 100,000 since April 2020.
“RDP has been a popular attack vector for many years now, but this has increased even more ever since IT teams had to accommodate a remote workforce due to COVID-19,” said Javvad Malik, security awareness advocate for KnowBe4.
“In an attempt to keep the show on the road, many IT teams would have enabled RDP in addition to relaxing security controls in order to allow employees to work unhindered from home,” Malik said. “However, this all accumulates as technical debt, one that the criminals are well aware of, and which would lead them to increase their attacks.”
How can organizations better guard against RDP compromises through brute force attacks? One key effort starts with the password itself.
“Enforcing password discipline where users must choose complex passwords with uppercase, lowercase, numeric, and special characters, with a minimum length greater than 14 characters, makes a brute-force attack much more complicated,” said Gurucul CEO Saryu Nayyar. “Fifteen characters is a minimum to withstand rainbow table attacks, with longer passwords giving much greater security.
But even strong passwords should be backed up by such tools as multifactor authentication and security analytics.
“Multifactor authentication can also greatly reduce the risk from brute-force attacks, whether it is provided through an application or a physical access key,” Nayyar said. “Advanced security analytics can help identify a brute-force attack before an account is compromised by identifying the behaviors associated with this attack vector, automatically blocking access at the infrastructure or account level.”
User training is one more important factor to add to your cyber defense strategy.
“It’s worth bearing in mind though, that even when these security controls are put in place, criminals can still get in by social engineering the users,” Malik said. “Especially during this time where many are working remotely from home, it has become easier for criminals to masquerade as the IT help desk to either phish credentials, or persuade users to download malicious files, which is why security awareness and training should also form a critical component of any layered defensive strategy.”
Finally, ESET offers several tips for effectively configuring and securing your remote access accounts and services:
- Disable internet-facing RDP. If that’s not possible, minimize the number of users allowed to connect directly to the organization’s servers over the internet.
- Require strong and complex passwords for all accounts that can be logged into via RDP.
- Use an additional layer of authentication (MFA/2FA).
- Install a virtual private network (VPN) gateway to broker all RDP connections from outside your local network.
- At the perimeter firewall, disallow external connections to local machines on port 3389 (TCP/UDP) or any other RDP port.
- Protect your endpoint security software from tampering or uninstallation by password-protecting its settings.
- Isolate any insecure or outdated computers that need to be accessed from the internet using RDP and replace them as soon as possible.
- Apply all of these best practices to FTP, SMB, SSH, SQL, TeamViewer, VNC, and other services as well.
- Set up your RDP correctly using the advice shared in this ESET report from December 2019.