1.888.900.DRIZ (3749)
The Driz Group
  • Managed Services
    • Web Application Security >
      • Schedule WAF Demo
    • Virtual CISO
    • Compliance >
      • SOC1 & SOC2
      • GDPR
    • Third-Party Risk Management
    • Vulnerability Assessment >
      • Free Vulnerability Assessment
  • About us
    • Testimonials
    • Meet The Team
    • Resources
    • In the news
    • Careers
    • Subsidiaries
  • Contact
    • Newsletter
  • How WAF Works
  • Blog
  • Managed Services
    • Web Application Security >
      • Schedule WAF Demo
    • Virtual CISO
    • Compliance >
      • SOC1 & SOC2
      • GDPR
    • Third-Party Risk Management
    • Vulnerability Assessment >
      • Free Vulnerability Assessment
  • About us
    • Testimonials
    • Meet The Team
    • Resources
    • In the news
    • Careers
    • Subsidiaries
  • Contact
    • Newsletter
  • How WAF Works
  • Blog

Cybersecurity Blog

Thought leadership. Threat analysis. Cybersecurity news and alerts.

5/13/2020

0 Comments

Security Risks Associated with Exposed RDP

 
RDP security risks

Security Risks Associated with Exposed RDP

A recent report from McAfee Labs showed that since the official start of the COVID-19 pandemic in March 2020, the number of exposed RDP has increased considerably.

RDP, short for Remote Desktop Protocol (RDP), is a proprietary protocol developed by Microsoft that runs on port 3389 and allows users the ability to connect to another computer over the internet. In the blog post "Cybercriminals Actively Exploiting RDP to Target Remote Organizations", McAfee Labs said that amid the COVID-19 pandemic, organizations wanting to maintain operational continuity very likely allowed employees to access organizations’ networks remotely via RDP with minimal security checks in place, giving cyber attackers the opportunity to access these networks with ease.

According to McAfee Labs, the number of RDP ports exposed to the internet grew from approximately three million in January 2020 to more than four and a half million in March 2020. McAfee Labs derived this number of exposed RDP ports from a simple search on Shodan – a search engine that allows users to find internet-connected computers.

Exposed RDP Risks

RDP often runs on Windows server operating systems. Access to RDP box allows attackers access to an entire network.

RDP ports that are exposed to the internet are valuable to attackers as these ports allow them to enter organizations’ networks and conduct further malicious activities such as spreading malicious software (malware), including ransomware – a type of malware that encrypts computers or files, locking out legitimate users and forcing victims to pay ransom in exchange for decryption keys that will unlock these encrypted computers or files.

Other than spreading ransomware, compromised RDP ports can also be used to spread cryptominer – a type of malware that illicitly consumes the computing power of the compromised computer for the purpose of mining cryptocurrencies such as Bitcoin or Monero.

Exposed RDP ports also allow attackers to conduct malicious activities such as hiding their tracks, for instance, by compiling their tools on the compromised computer. Attackers also used exposed RDP ports in carrying out other malicious activities in the victims’ networks such as theft of personal information, proprietary information or trade secrets.

How Cyberattackers Access Exposed RDP Ports

Below are some of the tactics used by attackers to enter exposed RDP ports:

  1. Use of Stolen RDP Credentials

According to McAfee Labs, it observed an increase in both the number of attacks against RDP ports and in the volume of RDP credentials (username and password combinations) sold on underground online markets. In the past, some of these RDP online shops were taken down by law enforcement agencies.

These RDP online shops sell RDP credentials at a very low cost. McAfee Labs earlier reported that the stolen RDP credential of a major international airport was sold in one of these RDP online shops for only US$10.

  1. Brute Force Attack

While RDP can be secured via multi-factor authentication, many users fail to use this added security measure. Failure to protect RDP via multi-factor authentication allows attackers to stage brute force attack – a type of attack that guesses the correct password through trial and error.

Password guesses via brute force attacks aren’t so random. According to McAfee Labs, data from a law enforcement agency and RDP online shops taken down by the law enforcement agency showed that weak passwords remain one of the common points of entry.

A number of RDP ports were broken into, McAfee Labs said, using the top 10 passwords. “What is most shocking is the large number of vulnerable RDP systems that did not even have a password,” McAfee Labs said. The following are part of the top 10 passwords used by RDP attackers: 123456, 123, [email protected], 1234, Password1, password, 12345, 1 and test.

  1. Exploiting Security Vulnerabilities

In recent months, RDP has also been riddled with security vulnerabilities. In August 2019, Microsoft disclosed the security vulnerability known as “BlueKeep”. This security vulnerability, officially designated as CVE-2019-0708 allows an unauthenticated attacker to connect to the target system using RDP and send specially crafted requests.

Microsoft warned that BlueKeep is “wormable”, which means that it can replicate and propagate by itself to create a large-scale outbreak similar to Conficker and WannaCry. Conficker has been estimated to have impacted 10 to 12-million computer systems worldwide, while WannaCry’s damage to computer systems in just one global enterprise was estimated at $300 million.

Two other security vulnerabilities in RDP were disclosed by Microsoft in recent months: CVE-2020-0609 and CVE-2020-0610. Similar to BlueKeep, CVE-2020-0609 and CVE-2020-0610 allow an unauthenticated attacker to connect to the target system using RDP and send specially crafted requests.

According to Dustin Childs of Zero Day Initiative, while not as widespread as systems affected by Bluekeep, CVE-2020-0609 and CVE-2020-0610 present an attractive target for attackers as these vulnerabilities are wormable – at least between RDP Gateway Servers.

Best Practices in Protecting Exposed RDP Ports

Here are some of the best practices in protecting RDP ports:

  • Keep Windows Operating System Up to Date
  • Microsoft had issued a corresponding patch for BlueKeep, CVE-2020-0609 and CVE-2020-0610.
  • Use Multi-Factor Authentication
  • While multi-factor authentication can be bypassed by some attackers, still, the use of this additional level of security blocks the use of stolen RDP credentials and the use of brute force attack as knowledge of the correct username and password combination isn’t enough to authenticate a user.
  • Use a firewall
  • Use an RDP gateway
  • Limit Domain Admin account access
  • Limit the number of local admins
  • Enable Network Level Authentication (NLA)
  • Enable restricted Admin mode
0 Comments

Your comment will be posted after it is approved.


Leave a Reply.

    Author

    Steve E. Driz, I.S.P., ITCP

    Picture
    View my profile on LinkedIn

    Archives

    March 2023
    February 2023
    January 2023
    December 2022
    June 2022
    May 2022
    February 2022
    December 2021
    November 2021
    October 2021
    September 2021
    August 2021
    July 2021
    June 2021
    May 2021
    April 2021
    March 2021
    February 2021
    January 2021
    December 2020
    November 2020
    October 2020
    September 2020
    August 2020
    July 2020
    June 2020
    May 2020
    April 2020
    March 2020
    February 2020
    January 2020
    December 2019
    November 2019
    October 2019
    September 2019
    August 2019
    July 2019
    June 2019
    May 2019
    April 2019
    March 2019
    February 2019
    January 2019
    December 2018
    November 2018
    October 2018
    September 2018
    August 2018
    July 2018
    June 2018
    May 2018
    April 2018
    March 2018
    February 2018
    January 2018
    December 2017
    November 2017
    October 2017
    September 2017
    August 2017
    July 2017
    June 2017
    May 2017
    April 2017
    March 2017
    February 2017
    January 2017
    December 2016
    October 2016
    August 2016
    May 2016
    March 2016
    January 2016
    November 2015
    October 2015
    August 2015
    June 2015

    Categories

    All
    0-Day
    2FA
    Access Control
    Advanced Persistent Threat
    AI
    Artificial Intelligence
    ATP
    Awareness Training
    Botnet
    Bots
    Brute Force Attack
    CASL
    Cloud Security
    Compliance
    COVID 19
    COVID-19
    Cryptocurrency
    Cyber Attack
    Cyberattack Surface
    Cyber Awareness
    Cyber Espionage
    Cybersecurity
    Cyber Security
    Cyber Security Consulting
    Cyber Security Insurance
    Cyber Security Risk
    Cyber Security Threats
    Cybersecurity Tips
    Data Breach
    Data Governance
    Data Leak
    Data Leak Prevention
    DDoS
    Email Security
    Fraud
    GDPR
    Hacking
    Impersonation Scams
    IoT
    Malware
    MFA
    Microsoft Office
    Mobile Security
    Network Security Threats
    Phishing Attack
    Privacy
    Ransomware
    Remote Access
    SaaS Security
    Social Engineering
    Supply Chain Attack
    Supply-Chain Attack
    Third-Party Risk
    Virtual CISO
    Vulnerability
    Vulnerability Assessment
    Web Applcation Security
    Web-applcation-security
    Web Application Firewall
    Web Application Protection
    Web Application Security
    Web Protection
    Windows Security
    Zero Trust

    RSS Feed

Picture

1.888.900.DRIZ (3749)

Managed Services

Picture
Web Application Security
​Virtual CISO
Compliance
​Vulnerability Assessment
Free Vulnerability Assessment
Privacy Policy | CASL

About us

Picture
Testimonials
​Meet the Team
​Subsidiaries
​Contact us
​Blog
​
Jobs

Resources & Tools

Picture
​Incident Management Playbook
Sophos authorized partner logo
Picture
© 2023 Driz Group Inc. All rights reserved.
Photo used under Creative Commons from GotCredit