0x01 How attackers use RDP to deploy malicious software

0x00 Background of the document

These past few months of the pandemic, in order to maintain social distance, many companies have relied on RDP to ensure the uninterrupted operation of their business.

RDP (Remote Desktop Protocol) is a network communication protocol developed by Microsoft, which provides a graphical interface for most Windows operating systems, allowing users to remotely connect to a server or another computer. RDP transmits the display of the remote server to the client and transmits the input from peripherals (such as keyboards and mice) from the client to the remote server, effectively allowing users to control the remote computer as if they were operating it personally.

However, many enterprises do not have enough time and resources to securely configure RDP, and the hasty shift to remote work may be providing an opportunity for ransomware groups to attack.

According to a report by McAfee, the number of exposed RDP ports on the Internet increased from 3 million in January 2020 to 4.5 million this March.

Below, I will talk about how to protect RDP from ransomware attacks from three aspects, hoping to achieve the effect of throwing a brick to attract jade.

RDP is usually considered a secure and reliable tool in a dedicated network. However, when the RDP port is open to the Internet, there may be serious problems, as it allows anyone to attempt to connect to the remote server. If the connection is successful, the attacker will gain access to the server and can do anything within the permissions of the compromised account.

Using RDP to deploy malicious software is not a new threat, but it has exacerbated this security risk as remote work has rapidly developed during the pandemic.

According to a report by Kaspersky, at the beginning of March 2020, there were about 200,000 RDP brute-force attacks in the United States every day, which increased to nearly 1.3 million by the middle of April. Now, RDP is considered to be the largest single attack vector for ransomware.

RDP can be exploited in many ways, mainly the following four ways:

1. Scanning exposed RDP ports: Attackers use free, easy-to-use port scanning tools, such as Shodan, to scan the entire Internet to obtain exposed RDP ports.

2. Attempt to log in: Attackers may use brute force to crack usernames and passwords, purchase zombie machines from underground markets, or use targeted social engineering methods to log in.

3. 

   Destroying system security: Once the attacker completes the privilege escalation, they will focus on making the network as insecure as possible. Such as disabling antivirus software, deleting backups, and changing usually locked configuration settings, modifying logs, etc.

4. Post-exploitation: After contacting the system security, it is possible to deploy ransomware, deploy keyloggers, use zombie machines to distribute spam emails, steal sensitive data, or install backdoors, etc., for future attacks.

How to prevent attacks based on RDP

In July 2020, Emisoft proposed a new security strategy to help protect users from RDP attacks, namely cloud monitoring of RDP.

Through a secure security system, real-time monitoring of the RDP service status of home or enterprise users, administrators can easily check whether RDP is enabled on specific devices. If multiple failed login attempts are detected, the Emsisoft cloud console will trigger an alert to the administrator, who can decide whether to disable RDP on the affected devices.

This simple and effective security strategy is believed to be implemented on most domestic security software in the near future.

First and foremost, RDP should always be disabled unless necessary.

For enterprises that particularly need to use RDP, the following are several methods to prevent RDP from being attacked by brute-force attacks in their work.

As mentioned earlier, opening RDP to the Internet will pose serious security risks. In contrast, organizations should use VPNs to allow remote users to securely access the company network without exposing their systems to the entire Internet.

Most RDP-based attacks depend on brute-force cracking. Therefore, enterprises must enforce the use of strong passwords on all RDP client and server endpoints, ensuring that passwords are long, unique, and random.

Even the strongest password can be leaked. At this point, MFA (Multi-Factor Authentication) provides an additional layer of protection. After enabling MFA, when users log in to RDP, the system requires them to enter their username and password, and then enter a dynamic verification code from their MFA device, which can be based on hardware or software.

Firewalls can be used to limit access to RDP for specific IP addresses or IP address ranges.

Versions of Windows Server 2008 and later can use RD Gateway servers, which use port 443 and can transmit data through SSL tunnels.

Multiple failed login attempts in a short period of time usually indicate that a brute-force attack is in progress. The Windows account policy can be used to define and limit the number of times users can attempt to log in to RDP.

Although all administrators can use RDP by default, many users can complete their work without the need for remote access. Enterprises should always follow the principle of 'minimum privilege' and allocate RDP access rights to those who truly need them.

Attackers typically scan the Internet to identify potential targets by determining computers that are listening on the default RDP port (TCP 3389). Although changing the listening port in the Windows registry can help enterprises 'hide' vulnerable connections, this method is only a circumvention strategy and does not have protective properties; it should be considered as a supplementary technology instead.