Security Risks Associated with Exposed RDP

Security Risks Associated with Exposed RDP

A recent report from McAfee Labs showed that since the official start of the COVID-19 pandemic in March 2020, the number of exposed RDP has increased considerably.

RDP, short for Remote Desktop Protocol (RDP), is a proprietary protocol developed by Microsoft that runs on port 3389 and allows users the ability to connect to another computer over the internet. In the blog post "Cybercriminals Actively Exploiting RDP to Target Remote Organizations", McAfee Labs said that amid the COVID-19 pandemic, organizations wanting to maintain operational continuity very likely allowed employees to access organizations’ networks remotely via RDP with minimal security checks in place, giving cyber attackers the opportunity to access these networks with ease.

According to McAfee Labs, the number of RDP ports exposed to the internet grew from approximately three million in January 2020 to more than four and a half million in March 2020. McAfee Labs derived this number of exposed RDP ports from a simple search on Shodan – a search engine that allows users to find internet-connected computers.

Exposed RDP Risks

RDP often runs on Windows server operating systems. Access to RDP box allows attackers access to an entire network.

RDP ports that are exposed to the internet are valuable to attackers as these ports allow them to enter organizations’ networks and conduct further malicious activities such as spreading malicious software (malware), including ransomware – a type of malware that encrypts computers or files, locking out legitimate users and forcing victims to pay ransom in exchange for decryption keys that will unlock these encrypted computers or files.

Other than spreading ransomware, compromised RDP ports can also be used to spread cryptominer – a type of malware that illicitly consumes the computing power of the compromised computer for the purpose of mining cryptocurrencies such as Bitcoin or Monero.

Exposed RDP ports also allow attackers to conduct malicious activities such as hiding their tracks, for instance, by compiling their tools on the compromised computer. Attackers also used exposed RDP ports in carrying out other malicious activities in the victims’ networks such as theft of personal information, proprietary information or trade secrets.

How Cyberattackers Access Exposed RDP Ports

Below are some of the tactics used by attackers to enter exposed RDP ports:

1. Use of Stolen RDP Credentials

According to McAfee Labs, it observed an increase in both the number of attacks against RDP ports and in the volume of RDP credentials (username and password combinations) sold on underground online markets. In the past, some of these RDP online shops were taken down by law enforcement agencies.

These RDP online shops sell RDP credentials at a very low cost. McAfee Labs earlier reported that the stolen RDP credential of a major international airport was sold in one of these RDP online shops for only US$10.

2. Brute Force Attack

While RDP can be secured via multi-factor authentication, many users fail to use this added security measure. Failure to protect RDP via multi-factor authentication allows attackers to stage brute force attack – a type of attack that guesses the correct password through trial and error.

Password guesses via brute force attacks aren’t so random. According to McAfee Labs, data from a law enforcement agency and RDP online shops taken down by the law enforcement agency showed that weak passwords remain one of the common points of entry.

A number of RDP ports were broken into, McAfee Labs said, using the top 10 passwords. “What is most shocking is the large number of vulnerable RDP systems that did not even have a password,” McAfee Labs said. The following are part of the top 10 passwords used by RDP attackers: 123456, 123, [email protected], 1234, Password1, password, 12345, 1 and test.

3. Exploiting Security Vulnerabilities

In recent months, RDP has also been riddled with security vulnerabilities. In August 2019, Microsoft disclosed the security vulnerability known as “BlueKeep”. This security vulnerability, officially designated as CVE-2019-0708 allows an unauthenticated attacker to connect to the target system using RDP and send specially crafted requests.

Microsoft warned that BlueKeep is “wormable”, which means that it can replicate and propagate by itself to create a large-scale outbreak similar to Conficker and WannaCry. Conficker has been estimated to have impacted 10 to 12-million computer systems worldwide, while WannaCry’s damage to computer systems in just one global enterprise was estimated at $300 million.

Two other security vulnerabilities in RDP were disclosed by Microsoft in recent months: CVE-2020-0609 and CVE-2020-0610. Similar to BlueKeep, CVE-2020-0609 and CVE-2020-0610 allow an unauthenticated attacker to connect to the target system using RDP and send specially crafted requests.

According to Dustin Childs of Zero Day Initiative, while not as widespread as systems affected by Bluekeep, CVE-2020-0609 and CVE-2020-0610 present an attractive target for attackers as these vulnerabilities are wormable – at least between RDP Gateway Servers.

Best Practices in Protecting Exposed RDP Ports

Here are some of the best practices in protecting RDP ports:

• Keep Windows Operating System Up to Date
• Microsoft had issued a corresponding patch for BlueKeep, CVE-2020-0609 and CVE-2020-0610.
• Use Multi-Factor Authentication
• While multi-factor authentication can be bypassed by some attackers, still, the use of this additional level of security blocks the use of stolen RDP credentials and the use of brute force attack as knowledge of the correct username and password combination isn’t enough to authenticate a user.
• Use a firewall
• Use an RDP gateway
• Limit Domain Admin account access
• Limit the number of local admins
• Enable Network Level Authentication (NLA)
• Enable restricted Admin mode