Anatomy of a Breach
RDP (Remote Desktop Protocol) is a Microsoft protocol that allows users to remotely access remote computers. A great deal of enterprise business operations rely on RDP to access their corporate devices. Because RDP allows for complete control over the device, these portals can be tempting and valuable entrypoints for attackers, making increased RDP protection an easy way to reduce risk to your attack surface.
In fact, in the months following the Covid-19 outbreak, exposed RDP endpoints increased by 127% due to the increase in remote workplaces. I’m response, unauthorized attempts to access exposed RDP systems have exploded, with ESET reporting over 55B login attempts against RDP so far in 2021.
RDP access has gone from an easy way for attackers to gain access to becoming a booming underground industry, with initial access brokers selling RDP credentials to the highest bidder looking for immediate access into an organization. Today, access is so common that would be-hackers can purchase RDP access on the Dark Web for as little as $5.
A recent DarkTrace analysis broke down a ransomware attack that started by exposed RDP endpoints, concluding that if this organization’s security team had protection around exposed RDP instances, they may not have been breached.
With many vendors spreading FUD around the risk from inadequate RDP protection and claiming that organizations should never expose RDP, many organizations are rightfully afraid of RDP. Leading cyber insurance firms, such as Coalition, are now even refusing to insure organizations with exposed RDP. However, the reality is less black and white and it’s our belief that with proper visibility and protections in place, exposing RDP is not a cause for grave concern.
The attacker struck on a Saturday evening, allowing more time to operate while the security team was presumed lightly staffed for the weekend. This organization had 7,500 active devices of which one had an internet-facing RDP port open. The service was open to the internet and running on the standard RDP TCP port 3389. This RDP service was commonly used by a large number of users, making the attack more difficult to detect among the valid connections. While it’s unknown how the attacker obtained credentials, on Saturday evening they gained initial access to the corporate network.
What Went Wrong?
The RDP connection to the port was made from an external endpoint that used an authentication cookie. The connection was flagged as an outlier from standard RDP procedures. The device proceeded to engage in network scanning after the initial connection, and made WMI connections to multiple devices.
After the network scan and WMI connections, the device used a second authentication cookie to create a new RDP connection, this time to a non-standard port that had previously appeared on the network. The attacker then moved laterally through SMB control pipes and native Windows admin tools to five other devices. These vectors were unmonitored, allowing the attacker to continue to avoid detection.
In this attack, the hacker managed to quickly enable external communication through their initial access point–the open internet-facing RDP port. Because the attack happened during non-work hours, the attacker was able to move through every phase of the breach in less than seven hours. The key to stopping these attacks is good attack surface hygiene. If unnecessary services are left exposed to the internet, breaches are inevitable because attackers are constantly looking for a way into the network. How necessary it is to have RDP comes down to your business case. But if it is necessary, it must be properly monitored and protected. This attack could have been prevented if common RDP controls were in place to monitor exposed endpoints.
What Should You Do?
RDP can be a critical business tool, but is also a valuable and sometimes easy entry point for attackers. Still, there is no reason to be afraid as long as your organization is aware it’s exposed, actively monitoring, updating and patching — and have credential safeguards in-place such as MFA.
For organizations unsure of their exposure or who need to expose RDP for business operations, an ASM (Attack Surface Management) platform, like Randori, can provide visibility into unknown exposures and allow for continuous monitoring of tempting endpoints, like RDP. The platform’s capabilities are not limited to exposed RDP. It locates all exposed endpoints, highlighting many that are even more tempting to attackers than RDP.
Internet-exposed systems, like RDP, are a common access point for attackers, but can easily be protected from becoming the initial entry point into your network. Here are some ways your organization can protect itself against exposed RDP:
- Use ASM for visibility
- Ensure Multi-factor authentication for all exposed RDP instances
- Segment remotely accessible systems from the rest of your network
- Limit remote logins and the permissions of users, systems, and services
- Monitor all failed login attempts and locations
- Monitor for credential leaks
- Be aggressive about patching remote access services such as RDP, VPNs, or SSH.