RDP Vulnerability: How does RDP vulnerability make you vulnerable?
How does RDP vulnerability make you vulnerable?
As March 2020 saw a significant 30% increase in hackers interest in RDP servers, understanding RDP vulnerability and flaws seems to become more and more vital for many of us. The spread of Covid-19 was obviously the main reason that made so many organizations suddenly start using remote desktop tools in early 2020, so they can allow their employers to carry out their jobs while social distancing. That said, Coronavirus aside, the number of RDP users has been on a sharp rise for a few years now, and it looks like, despite all the issues they cause, remote desktop tools like RDP are here to stay.
In this article, we explain what RDP vulnerability means and what risks it could cause.
What is RDP?
RDP (short for Remote Desktop Protocol) is a network communications protocol, which allows for remote display and input capabilities over local networks and the Internet. Microsoft has built this proprietary protocol into almost all versions of Windows in the past two decades. Although some Windows editions (like Windows Home) cannot perform as a remote server for RDP.
Windows’s default RDP client software is called Remote Desktop Connection (RDC) . RDC used to be known as Microsoft’s Terminal Services Client and that is why RDC’S executable file is called mstsc.exe. Using Remote desktop connection, Windows users can connect to remote systems and take over them like they are sitting behind them.
What is RDP Vulnerability?
According to The Internet Engineering Task Force (IETF), in computer security, a vulnerability is a flaw or weakness in a system's design, implementation, or management that could be exploited to violate the system's security policy.
Now, what does make RDP vulnerable? RDP vulnerabilities range from simple human neglects like weak passwords, to technical issues and bugs in the RDP software, which are called software vulnerability.
For example, one RDP vulnerability discovered by the CheckPoint research team in 2019 is RDP’s Clipboard vulnerability. Microsoft’s official RDP client lets the remote user copy & paste several file formats in the remote system. This handy feature unfortunately allows a malicious RDP server to easily drop arbitrary files to almost any location on the client’s computer. This can be limited by the permissions previously defined by the client, but most users do not restrict this option. Therefore, a bad actor can copy a malicious script to, say, the client’s Startup folder, unbeknown to the remote user. Needless to say, this could enable the hacker to completely take over the victim’s system after a reboot.
Software vulnerability review
Between 2002 and late early 2017, Microsoft released 20 Microsoft security updates to patch and fix 24 major RDP vulnerabilities. With RDP getting more and more popular among people and cybercriminals alike through the years, its vulnerabilities got more visible and dangerous, too.
In 2018, the FBI warned about the growing exploitation of “vulnerable RDP sessions” by the Internet fraudsters.
In May 2019, Microsoft announced discovering BlueKeep (officially classified as CVE-2019-0708), which could affect Windows7 and other older versions of Windows. BlueKeep enables cyber-attackers to access the target system without authentication and execute arbitrary code on the remote system, so the hacker can install programs, create new accounts with full user rights, etc.
BlueKeep that was categorized as “critical” by Microsoft, was especially concerning because of being potentially “wormable”, i.e. the malware using BlueKeep can automatically spread between vulnerable systems without requiring any user intervention.
BlueKeep was so severe that Microsoft made a point of releasing patches for some of its discontinued Windows versions, like Windows XP; something it rarely does.
In August 2019 Microsoft announced that it had discovered four new RDP-related vulnerabilities, that were wormable just like BlueKeep.
In January 2020, Microsoft released security patches for five more vulnerabilities of RDP-base services, including two issues with the Windows Remote Desktop Gateway that could enable hackers to take over the remote system without requiring to authenticate and login.
Another one of these vulnerabilities which is identified as CVE-2020-0611, can execute code on the victim’s computer like BlueKeep. But unlike BlueKeep, with CVE-2020-0611, the hacker is not able to establish a remote connection without the user’s permission, so the attacker here has to trick the user into connecting via social engineering, DNS poisoning or using a Man in the Middle (MITM) technique.
That wraps our short review on just a few of RDP vulnerabilities. However, what is clear is that we have not yet seen the last of the RDP vulnerabilities, so we should always stay watchful for new security updates and instructions.
Also note that Microsoft’s built-in RDP client is not the only RDP tool with severe vulnerabilities and issues. Other RDP programs also suffer from bugs and vulnerabilities which continue to be discovered over time. For example, in 2019 CheckPoint found several vulnerabilities with major security impact in FreeRDP and rdesktop that are known as two of the most popular open-source RDP clients. One of these bugs shared by both of those tools was the Buffer Overflow problem which could be exploited to force remote code execution on the client machine, after triggering a buffer overflow.
What do hackers usually do with RDP?
Cyberattackers may have very different reasons for attacking a system via RDP, so there’s no saying what they would do after taking over a remote computer. But, many of them tend to first do a preliminary survey to identify the victim and the main purpose for which they use their system. This phase may not be necessary if the attackers already know whose computer they are connecting through remote desktop.
Another key step for many cybercriminals is neutralizing security software running on the victim’s computer, by disabling them or creating exclusion rules.
Once they have done the initial steps, the can get to their main purpose. For example, some of the attackers use RDP to:
- access and infiltrate a local network through one of the computers that is connected to it and has been compromised through the RDP
- steal important or compromising files or information such as banking credentials, company secrets, personal files, etc.
- run ransomware to encrypt the victim's files, so the hackers can demand money in exchange to decrypt the files for the owners
- install coin-mining software to generate cryptocurrency using the resources of the victim’s computer, without their knowledge. This is called cryptojacking and can have several consequences such as slowing down your system due to using your CPU processing resources, increasing the cost of your electricity bills, and shortening the life of your computer.
After doing the damage, one last thing that hackers do is getting rid of any unwanted evidence or footprint that would reveal their presence on the victim’s computer.
Now that we have a general idea of what RDP vulnerabilities are and what risks and threats they can pose, it is time to also think about the scale of the damage they can cause.
RDP is currently the most used remote desktop software in the world. So, it shouldn’t be a surprise to hear that according to the Coveware ransomware marketplace report, over 50% of all ransomware attacks in the first quarter of 2020 were carried out using poorly secured RDP connections.
This huge scale clearly means the RDP vulnerability is too big an issue to be overlooked.
What to do against RDP vulnerability?
The good news is that, despite the tireless and sophisticated efforts of bad actors and cybercriminals to exploit RDP, you can make your remote desktop connections very safe and secure by taking some necessary measures. Here is a short summary of the most important precautions you should take to secure remote desktop:
- Update your system and software regularly and always make sure you have the latest security patches installed.
- Use strong passwords and do not reuse passwords. Using Multi-Factor Authentication (MFA) helps a lot. Do not forget that Brute Force Attacks are still among the most popular ways to attack RDP.
- Enable Network Level Authentication (NLA) if possible.
- Disable or restrict clipboard sharing over RDP.
- Disable the Remote Desktop Services and close the RDP port if you do not use remote desktop connections on a computer. But if you need to use RDP, tools that can dynamically change its port for you can be very helpful.
- Use a powerful firewall with carefully defined rules. Using a firewall specially designed for RDP could be most effective.