Remote Desktop Protocol (RDP) has become an important tool for managing company networks in an era of hybrid workspaces. However, an unsecured RDP endpoint makes a vector that offers cybercriminals significant benefits when they attempt to attack your systems. What malicious activities might threat actors perform via RDP, and how do you prevent them from doing so?
What is an RDP endpoint?
It’s a Windows device running Remote Desktop Protocol (RDP) software that allows internet access. RDP enables an organization’s Windows devices to be accessed remotely as if their keyboards and displays were on your desk. It can help with managing or troubleshooting employee devices, serving up centralized resources such as desktops that can run heavy workloads, applications, databases and many others.
The number of incidents using an RDP endpoint in the past few years has increased.
Attackers connect to Windows Servers from the internet using RDP while logging on as the computer’s administrator. They do this by exploiting vulnerabilities (such as BlueKeep CVE-2019-0708), phishing, credential stuffing, password spraying, brute force or poorly configured access to internal systems. Once in, they can determine what the server is used for, by whom and when it is being used.
The most common malicious activities performed via RDP:
- Installing ransomware
- Installing cryptomining programs to generate cryptocurrency (such as Monero)
- Installing additional remote-control software to maintain access to compromised servers if RDP activities are discovered
The main vulnerabilities that lead to an attack via RDP are weak login credentials. These put RDP at risk of brute-force and credential stuffing attacks. Unrestricted port access represents another issue – most RDP connections use default port 3389, which opens a route for attackers.
Using an unsupported OS or not updating to the latest version opens the door to exploits and vulnerabilities. For example, BlueKeep is a security vulnerability that largely affected Windows 2000, Windows XP, Windows Vista, Windows 7, Windows Microsoft Windows Server 2003, Windows Server 2003 R2, Windows Server 2008 and Windows Server 2008 R2 in May 2019. It continues to impact IT infrastructure even now. The BlueKeep vulnerability allows attackers to run arbitrary program code on the victims’ computers. Even though individual attackers can also present a widespread threat using automated tools for attacks, BlueKeep vulnerability is “wormable.” That means an attack can spread itself automatically across networks without any intervention by users.
Apart from that, finding systems accessible from the outside and then abusing them for malicious purposes is straightforward for the criminally inclined. Why? Vulnerable RDP systems are quite easy to find. For example, systems running RDP can be identified by specialized search engines like Shodan, which constantly scour the internet for connected devices and collect information about them. As of August 2021, Shodan indicated over 4 million systems on the internet with RDP port 3389 open.
It is also easy for attackers to obtain a foothold on RDP systems if they have poor configuration. Tools and techniques for escalating privilege and obtaining admin rights on compromised RDP systems are widely known and available.
Using RDP safely
If you want to use Remote Desktop Protocol safely, limit RDP access to specific roles and systems that are configured securely, patched promptly, monitored constantly, firewalled appropriately and backed up regularly. Ensure everyone complies with the company rules of using RDP and make an inventory of your internet-facing assets. It’s not unusual for an organization to be attacked via an internet-connected asset unknown to the security staff.
After you complete the inventory of internet-facing assets, document which ones have remote access enabled and decide if that access is necessary. If it is, follow the rules below.
How to lower the chance of a successful RDP attack on your company
1) Disable Remote Desktop Protocol if it’s not in use.
2) Require strong passwords for all accounts that can be logged into via RDP. Also, enable multi-factor authentication (MFA).
3) Change the default RDP port number, so port-scanning tools won’t find it on a list of open RDP ports.
4) Set firewall rules to allow only specific IP addresses to access RDP.
5) Ensure that employees use the latest version of your chosen OS, and ensure that it is updated regularly.
6) Install a VPN to broker the RDP connection, as it’s the encryption provided by the VPN that is their key service.
7) Replace unsecured computers, such as those with OSes that cannot be updated to the latest version.
8) Enable exploitation blocking in endpoint security software.