Remote Desktop Protocol Risks, Far From Remote
The Remote Desktop Protocol (RDP), which is popular with many admins, poses a major security risk for companies. Security provider Sophos has completed its almost four-month study "RDP Exposed: The Threat That's Already at your Door" and published the long-term results. It shows how Cyber Criminals relentlessly try to attack companies via RDP. This study shows that remote desktop protocol risks are far from remote.
Remote Desktop Protocol Risks, Far From Resolved
RDP is still a valid reason for system administrators to have sleepless nights. In the past year, Cyber criminals in addition to the two large ransomware attacks Matrix and SamSam have almost completely focused on network access with RDP and largely abandoned other methods. Ransomware attacks are a form of computer exploit that will luck down your computer via an encryption software and only give you the key to unlock it if you pay a specific amount of money (aka ransom) to the hacker that has locked your computer down. This remote desktop protocol risks are far from the potential long list of attacks that remote desktop protocol faces today.
Matt Boddy, security specialist at Sophos and head of the study explains: “A recent error in the execution of the remote code in the RDP, called BlueKeep has made headlines.” Bluekeep is a remote desktop protocol risk that allows for remote code execution on the remote computers, you can imagine how devastating such a vulnerability would be. This is such a serious vulnerability that it can be used to trigger a ransomware wave that could spread worldwide in hours. Protection against RDP threats goes far beyond patching systems against BlueKeep, because this is just the tip of the iceberg. In addition, IT managers have to pay significantly more attention to the RDP. Because as our study shows, Cyber criminals attack all potentially vulnerable computers with RDP by trying to find out the passwords.
RDP Exposed, The Study That Confirms Our Worry
The new RDP study from Sophos " RDP Exposed - The Threat That's Already at Your Door " shows how attackers find RDP compatible devices on the Internet shortly after their appearance. As a demonstration, Sophos used ten geographically distributed honeypots to measure and quantify Remote Desktop protocol risks. Honeypots are computers with low security, implemented in a system to lure hackers and analyze the security risks involved in a system.
All ten honeypots received their first RDP login attempt within one day. The ten RDP honeypots recorded a total of 4,298,513 failed login attempts over a period of 30 days. This corresponds to an attempt to attack every six seconds. It is generally believed that cyber criminals use websites like Shodan to search for open RDP sources. However, the Sophos study shows that cybercriminals have their own tools and techniques to find open RDP sources and don't necessarily rely on third-party websites.
Hacker's Behavior Patterns
Sophos identified different attack patterns based on the study. This includes three main profiles, the ram, the swarm and the hedgehog:
The ram is a strategy that aims to hack an administrator password. An example of the study is that an attacker attempted 109,934 attempts to log on to the Irish honeypot in just ten days with only three usernames to gain access. This type of attack is mostly facilitated with insider knowledge of the computer network to have a working set of usernames to try and attack the network with.
The swarm is a strategy that uses sequential usernames and a finite number of worst passwords. An example from the study: An attacker was registered in Paris who used the username ABrown nine times within 14 minutes, followed by nine more attempts with the username BBrown, then CBrown, followed by DBrown and so on. The pattern was repeated with A.Mohamed, AAli, ASmith and others. This is a case of a dictionary or brute-force attack which uses a set of usernames and passwords to crack the computer, being one of the leading remote desktop protocol risks.
The hedgehog is characterized by high activity, followed by longer periods of inactivity. An example in Brazil shows that each spike generated by an IP address takes about four hours and consists of 3,369 to 5,199 password rates. This approach leads to a more subtle and under the radar method of attacking and is mostly undertaken in hours which there are no IT staff nearby to monitor the computers which is another major remote desktop protocol risk, unattended access.
What to Do to Secure Remote Desktop
As we can see from the research done by the folks at Sophos, the remote desktop protocol risks are very much real and deadly. The hackers wont be stopping anytime soon and that leaves people who have to have a remote desktop connection in their enterprises exposed to risk. This is why there are some ways that you can secure your remote desktop connections from the get go and stop worrying about hackers all the time, these ways are defined below:
- By default, the RDP host system listens on port 3389 for connection requests from RDP clients. This port for the RDP service can be changed, which protects the network from malware that scans systems for RDP on port 3389. This approach can, however, also lead to errors of its own. So changing the port is possible, but you should have a good reason for it.
- It is also helpful to use firewalls in the environment or in the operating system, which in RDP only allow incoming inquiries from permitted sources and connections with permitted destinations. As a result, not everyone can connect to the server. If there is a certain group of people who are only supposed to connect to a certain group of servers, firewall rules help to enforce these restrictions.
- Check who is able to establish an RDP connection to a server. Consider restricting access to RDP to specific groups (using Group Policy or manually on the target machines) rather than leaving it open to everyone. It is also recommended to exclude the local administrator account from RDP access. And all user accounts should be clearly defined in advance on the system.
- Although NLA offers authentication, the best available method for authenticating client requests to a host system at RDP is to use SSL certificates. If the certificate is installed on the system and on the RDP client, authentication takes place using a certificate before the start of an RDP session.
- If access to a system via the external network is required, the necessary port should not be available to everyone for possible misuse. Instead, configure a VPN tunnel back into the network for RDP. It is even better to create a gateway for remote desktops: this allows remote connections via HTTPS, so that RDP can establish a more secure and encrypted connection to the endpoint. Both methods are certainly better than an open port 3389 in the perimeter network.
Is There An Easier Way?
Mitigating remote desktop protocol risks by yourself takes a lot of time and effort, and after all is done, you won’t be able to see whether the things you’ve setup are working or not. These leads to the most common answer in the field of security and that is using a third party firewall . But if you are looking for a firewall that is build and designed for remote desktop use, you can give our Sunfirewall a try and see many of the steps mentioned in the last paragraphs done automatically.