When global lockdowns were initiated in early 2020, most organizations prioritized business continuity and remote access capabilities to the detriment of server, network and workstation security. The pandemic became a prime opportunity for attackers to launch RDP attacks by identifying public-facing servers with open ports and unpatched vulnerabilities, and working to exploit those weaknesses. Attackers then used common intrusion techniques, like brute force password attacks, to gain access to these organizations’ vulnerable infrastructure and data.
Once inside, attackers exploit unpatched common vulnerabilities and exposures (CVEs). CVE is a database whose purpose is to standardize identification of all publicly known security vulnerabilities and exposures. Every CVE entry has a unique identifier, consisting of the year it was published and a four-digit serial number. As an example, CVE-2019-1182 is a ‘wormable’ vulnerability from 2019, meaning that any malware exploiting a server with this vulnerability could propagate from one vulnerable computer to another without user interaction.
Another wormable vulnerability, CVE-2019-07083 is used for remote code execution and exploits and delivers malicious ransomware payloads on targeted machines. Attackers in control of a single machine can escalate user privileges, exfiltrate valuable data and then propagate malware to another machine on the network. With this foothold in privilege escalation, attackers can quickly propagate malware, and ransomware, throughout an organization. These types of attacks all begin with an RDP attack.
How to Avoid RDP Attacks
Such attacks are, to an extent, inevitable. But there are steps organizations can take to better detect vulnerabilities and respond more effectively if an attack occurs.
Sometimes, blocking all open RDP ports is not an option, as when engineers and administrators need access for business continuity. In these cases, audit logs should be continually logged and monitored for suspicious activity. Keep an eye on authentication logs with Event ID 4625 destined to the potential servers that could be exploited. Keep a cumulative count of the distinct usernames that attempt to log in, but fail. Closely observe failed sign in and inbound RDP connections. Capture IP addresses which exhibit these behaviors, and monitor their activities. Then, compare that IP address to any suspicious activities taking place on machines on the network. If you observe any successful, but suspicious, logins using RDP, investigate the destination server to identify the malicious vector. Then, you can contain and eradicate the threat before it infects any other machine(s) on the network.
You should also conduct vulnerability assessments for every public server and immediately patch any that are found. A delay in patching known vulnerabilities increases the risk of an attack. If RDP ports must remain open, integrate a jump server in your network. A jump server is a hardened, closely monitored device that sits between two dissimilar security zones and can help restrict access to more sensitive infrastructure and data. Requiring RDP or SSH communications to go through a jump server can stop malicious actors from propagating malware or restricting them to service ports with controlled access.
You also should limit server access and IP connections to authorized users. Use strong passwords and maintain password hygiene. Use a custom port for RDP to thwart port scanners; by default, the server listens on port 3389 for both TCP and UDP. Changing the port will not stop a determined attacker, but it will make you a more difficult target.
How to Handle an Attack
If, despite your precautions, an RDP attack succeeds, you should do a post-mortem and identify what went wrong. Once you’ve identified the vulnerabilities and closed any loopholes, you’ll have a better sense of how to defend your network going forward. Taking these steps can help shield your organization from future damage.