Security Risks in Remote Desktop Protocol
Microsoft's Remote Desktop Protocol enables users to access their computers remotely, but the risks of RDP remain hidden most of the time. It is also one of the most popular administration tools with which system administrators can centrally control their remote systems with the same functionality as if they were on site. IT staff and support services use the tool in many ways to manage hundreds of customer networks and systems. While RDP makes remote administration of distributed IT systems enormously easier, it also creates another gateway for cyber-attacks.
Various sources report an increase in RDP attacks. As early as 2018, the Internet Crime Complaint Center (IC3) issued a special security warning on the subject Risks of RDP. Malicious activities related to RDP include ransomware, data theft, the installation of backdoors, so-called pivoting (aka lateral movement) and the launching of further attacks from a compromised network. Access data for RDP accounts are said to have already been offered for single-digit dollar amounts per server on trading platforms in the Darknet.
Large target area
A recent study shows that RDP actually creates a large and vulnerable target in many networks: According to the Vectra 2019 Spotlight Report on the Risks of RDP for the period from January to June 2019, the AI-based platform Cognito has 26 800 suspicious RDP processes recognized in more than 350 implementations. 90% of these implementations showed behavioral detection by RDP attackers. The manufacturing and finance and insurance industries had the highest rate of RDP detections with ten or eight cases per 10,000 workloads and devices. Within the manufacturing industry, mid-sized companies had the highest rate with 20 cases per 10,000 workloads or devices. The five most common targets besides manufacturing and finance were retail, public administration and healthcare. The first three industries together accounted for almost half (49.8%) of all RDP cases.
A possible attack type is a brute force attack in order to find valid RDP access data. Here, a malicious actor scans a series of IP addresses, looks for open ports that are used by RDP (e.g. port 3389) and then carries out a brute force attack to determine the password. Attacks of this kind can have the same consequences as a Denial of Service attack (D.O.S), since the operating system is overloaded due to the large number of requests and ultimately refuses to serve. Vulnerable code is also exploited in the case of RDP attacks, in particular the RDP specific vulnerability CVE-2018-0976.
The general weaknesses of RDP have been known for years: RDP communication is now encrypted using the TLS standard. However, an attacker could launch a man-in-the-middle attack to gain RDP credentials. The attacker operates from a broadcast domain that is shared with either the client or the RDP server.
Some attackers use a Python-based tool called Seth to redirect traffic via an RDP proxy using ARP spoofing which is a method of hacking using the ARP protocol. This enables the encryption quality of the connection to be reduced and login information to be extracted in plain text. In addition to the use of ransomware and backdoor installations, attackers can use RDP to move around the entire foreign network environment. In some cases, the goal is to tunnel RDP connections over another protocol such as SSH to bypass firewalls and other border protection measures.
Large scale attacks
Cyber-atackers typically follow the path of least resistance to achieve their goals and try to use existing administration tools like RDP for their purposes. Mostly it is about industrial espionage or state / politically motivated activities. The attackers generally want to scout out a foreign network, work their way to valuable databases and finally remove data from the network as inconspicuously as possible. The high risks of RDP on Windows systems and the frequent use by system administrators make it the ideal tool for attackers to avoid detection when performing their activities.
It is important that security teams understand how attackers use RDP to infiltrate systems.
As we said Cyber-attackers typically follow the path of least resistance to achieve their goals. They will always try to use existing administration tools before introducing new malicious software. The attackers' goal is to conduct internal scouting, work laterally in the network and finally extract data from a network. This increases the risks of RDP in government and other large scale networks exponentially.
The following three examples show that this tactic is implemented on a large scale worldwide and can partly be attributed to governmental or government-sponsored attackers. APT stands for Advanced Persistent Threat Groups which are groups that function in large scales and are mostly foreign governments and their actors conducting Cyber attacks for specific strategic purposes.
APT40: A Government Sponsored Chinese Actor
APT40 has been conducting operations to support the Chinese Navy's modernization efforts at least since 2013. The group uses compromised credentials to log in to other connected systems and conduct scouts. In addition to RDP, the group also uses the Secure Shell Protocol (SSH), legitimate software in the victim's environment, a number of native Windows functions, publicly available tools and specific scripts to facilitate internal scouting.
The APT40 group - disguised as a manufacturer of unmanned underwater vehicles - has already targeted universities that are involved in marine research. The group also directs its activities to countries that are involved in geopolitical disputes in the South China Sea. Another target is nations that China is trying to influence across Asia, Europe and the Middle East with its $ 1 trillion Trade Network initiative (known as the Belt and Road).
APT39: An Iranian Cyber Espionage Group
The Cyber espionage group APT39 has been running an extensive campaign with a wide range of user-defined and common tools for a long time. To date, APT39 has focused on personal data to support surveillance or tracking efforts that serve Iran's national priorities. The attackers' goal is probably also to create additional access points that will facilitate future campaigns.
The group, which has existed since 2014, has so far concentrated its activities on the Middle East; companies in Europe, South Korea and the USA were also targeted. Most of the destinations are in the telecommunications and travel industries, but the high-tech industry and government agencies have also been affected. APT39 uses RDP to laterally advance in external networks (lateral movement) and to fix it in the long term. This approach points to a new quality of Cyber espionage: In the past, state-sponsored actors only stole basic information, but now they are building long-term espionage campaigns, installing sensors in secure networks and using them whenever possible making the risks of RDP usage very high.
SamSam is a computer hacking and extortion program that has affected nearly 200 organizations - including critical infrastructure, hospitals, and government agencies - worldwide, and especially in the United States, for almost three years. According to the U.S. Department of Justice, cyber-attackers stole approximately $ 6 million from ransom payments while causing over $ 30 million in damage as a result of the attacks. Some of the most notable cases included attacks on the city of Atlanta, the city of Newark, the port of San Diego and the Kansas Heart Hospital.
The cyber-attackers used RDP to gain permanent access to the victims' networks. After gaining access to a network, they escalated administrator privileges, infiltrated malware on the server, and ran an executable file without any activity or authorization from the victim. RDP enabled cyber-attackers to infect victim environments with minimal detection probability.
Analysis of tools found in the compromised networks revealed that the attackers had bought several of the stolen RDP credentials from established marketplaces on the Darknet. An analysis of the victims' access logs by the FBI showed that the SamSam actors infected the networks within a few hours of buying the credentials. During the renovation of their systems, several victims found suspicious activity on their networks that had nothing to do with SamSam. These activities are a possible indicator that additional credentials have been stolen, sold on the Darknet and used for other illegal activities, this alone can make the risks of RDP stand out for administrators of such large networks.
These are just three examples of spectacular cyber-attacks based on RDP but the widespread remote maintenance protocol currently seems to be particularly attractive for cyber-criminals in general. What security experts have been warning about for a long time is now becoming a widespread threat - the latest study by Vectra shows that entire industries are affected. Due to the frequent use of the very helpful and "harmless" protocol, the number of attacks in which RDP is misused by attackers is likely to remain very high in the future.
What Else Has Been Researched?
"Cyber-criminals know that RDP is a very easily accessible administration tool that allows them to hide during an attack," said Chris Morales, Head of Security Analytics at Vectra a Cyber security firm. "It is important that security teams understand how attackers use RDP, because it will continue to be a threat in the near future."
As they move through the attack life cycle, Cyber criminals conduct internal scouts and move sideways on the alien network to identify systems and access those that contain valuable data. The ubiquity of RDP on Windows systems and its frequent use by system administrators make RDP the ideal tool for attackers to avoid detection while performing their activities.
The Spotlight Report 2019 on the risks of RDP is based on the analysis of the data in the 2019 Black Hat Edition of the Attacker Behavior Industry Report, which shows behaviors and trends in networks from a sample of more than 350 opt-in Vectra implementations from January to June 2019 . The Attacker Behavior Industry Report provides statistical data on the behavior of attackers who try to sneak into existing network traffic and hide their harmful actions.
Although RDP is used very often in almost all of the IT industry, It doesn’t seem to be that secure. To enable security for RDP connections you have to firstly know about the type of attackers and security vulnerabilities and next try and identify a solution for such attacks. There are many good network security software designed for RDP access and control that you can use to minimize the risks of attack. You can try out the Sunfirewall Security Suite that is offered by our team especially designed for this purpose, there is always a free trial. But with all that said next time you are going to use the Remote Desktop Protocol or give RDP access to someone you will have to be extra careful because of the high security risks of RDP.