Attacks against Remote Desktop Protocol (RDP) aren’t a new technique, but they have been rising in usage over in recent years. This uptick can be attributed to remote work, the technique’s ease and low cost, and high profitability for the threat actor. Used primarily to target smaller businesses with improper configurations, RDP can be your greatest liability when malicious actors strike. In this blog, we discuss how certain techniques take advantage of RDP insecurities, as well as what mitigation tactics you can implement today.

RDP is a network communications protocol developed by Microsoft in the early 2000s. It is built into enterprise and pro versions of Windows. RDP is used for two primary purposes:

• Remote Desktop Access: Users can utilize remote access to their physical work desktop computer from another device.
• Remote Administration: Technicians can perform remote administrative work by physically accessing the device.

After the RDP software is connected, the user can use applications, access and edit files, and more, on the connected computer.

Although attacks against RDP are a current trend, they aren’t new. RDP takeover has been one of the top initial attack vectors used by ransomware threat actors, even before the COVID-19 pandemic. Its place of prominence among other attack vectors, such as email phishing and software vulnerability, is unsurprising for multiple reasons including:

• The rise and continuation, of hybrid and remote work
• The low cost of execution
• The lack of expertise necessary
• The popularity of utilization among both amateur actors and specialized cybercriminals

Threat actors have honed in on a vulnerable population with insecure protocol and have gained the necessary means for attack at a low cost, leading to high profitability. Novice threat actors use affiliate-based ransomware services, while experienced cybercriminals specialize in mass distribution of software who buy ransomware.

Getting even more specific, the attack vector used is often indicative of the size of targets a malicious group prefers. Businesses with a lower employee count, often between one to one hundred, usually have lower budgets, insufficient IT security resources, and therefore insecure RDP configurations, leaving their RDP open to the internet. Therefore, many factors are working in favor of malicious actors.

While RDPs enable remote assistance and work, Pass the Hash (PtH) attacks and Trojan horses, among other tactics, techniques, and procedures (TTPs), can also be deployed using an RDP. Once takeover has occurred, adversaries are able to access and edit anything that the computer has access to. It can also be used as a gateway to hacking into other computers on the affected network.

Security aside, the internet connection necessary to run an RDP should be addressed. If your connection is not strong enough, you may experience latency issues or an inability to connect. If your employees are using this tool, they will need to be close to a router or extender. This diminishes the level of flexibility that it provides for remote work to a degree.

Hijacking
RDP sessions, active or disconnected, can be hijacked without credentials or accepted prompts by the user. They can then be used for login access, malware detonation, and/or ‘live off the land’ procedures. PtH can be used to gain lateral movement, giving an attacker the ability to act as any user within the domain. Threat actors can also route RDP connections and move further into an environment through secure proxies. All the while, you may be oblivious, as these tactics appear to be normal network behavior.

Sticky Keys
Adversaries may exploit accessibility features to gain unauthenticated access through a remote desktop login screen. For example, Sticky Keys allows a user to operate their keyboard one-handed, with a typing wand, or a mouth stick. Modifier keys, such as Shift, Alt, and Ctrl, can be pressed one at a time, while your computer reads them as being pressed simultaneously. Within an RDP session, this tool can be used to obtain persistence, maintaining long-term access to systems despite disruptions such as restarts or changed credentials.

Brute Force
RDP brute force attacks escalated throughout all of 2020 and 2021 with an increase of 274% in Q4 of 2021. Hackers use tools that auto-attempt passwords repeatedly until they’ve successfully accessed your computer right from the internet. Malicious actors can appear as legitimate users to gain system access and control. Therefore, multiple layers of defense behind login credentials are necessary.

Malware
Intrusive software that has been bought, stolen, or downloaded, can be configured to support cyber adversaries’ operations. One malicious group is known to use two types of malware: one for checking keys within HKEY_CURRENT_USER (HKCU) – current user settings, and HKEY_LOCAL_MACHINE (HKLM) – machine settings for all users – to determine if a Remote Desktop app is present, and the second for RDP propagation. Computer worms, which replicate themselves, can also be used to spread across other computers. Another type of ransomware enumerates all current Remote Desktop sessions, attempting the execution of malware on each one.

Protocol Tunneling
Tunneling involves explicitly encapsulating a protocol within another. This behavior conceals malicious traffic by blending in with existing traffic and/or providing an outer layer of encryption. Protocol tunneling, specifically, misuses RDP. Communications and RDP traffic on a compromised computer can be tunneled from a victim’s environment over internet connections, through open-source tools, and/or within a separate protocol. The latter enables adversaries to avoid detection or network filtering as well as access to otherwise unreachable systems.

• Beat Them to the Punch:
  •  Restrict user privileges and permissions to those who need them. Overly permissive roles being assigned to non-privileged accounts can lead to compromised access, privilege elevation, and lateral movement.
  • Operate from a zero-trust mentality.
  • Establish firewall rules to restrict access to port 3389 and block RDP traffic between network security zones.
  • Use Remote Desktop gateways.
  • Make sure Network Level Authentication is enabled in Windows.
• Give Hackers a Hard Time:
  • Implement 2FA or MFA whenever possible.
  • Utilize strong passwords.
  • Establish maximum encryption for RDP connections.
  • Log RDP login attempts.
  • Limit the number of allowed attempts before the account is locked.
  • Change Group Policy (GPOs) to establish shorter timeout sessions and set a maximum amount of time a single session can be active, including disconnected sessions.
• Keep Your House in Order:
  • Audit your accounts, groups, and network for systems using RDP.
  • Remove any unnecessary access to RDP.
  • Close unused RDP ports.
  • Block RDP ports from external networks.
  • Ensure systems are up to date and that auto security updates are taking place.
  • Consider moving the local administrator group from the list able to log in through RDP.
  • Disable RDP if possible. If not, put it behind a virtual private network (VPN).

If your networks are compromised, change your credentials immediately.

The reality is that many organizations rely on core protocols, tools, and practices for their businesses to run efficiently. Many smaller teams require RDP to work smarter, not harder. Keep in mind, though, that what enables us can also enable a malicious actor. If your RDP isn’t properly protected, it can be an easy and inexpensive access point for an opportunistic actor to exploit. Understanding the trends, dangers, and mitigation steps allows businesses of all sizes to strengthen their defenses when it comes to RDP. Awareness and proper configuration can be what prevent a threat actor from gaining a foothold in your network.

Blackpoint Cyber is a provider of leading-edge cybersecurity threat hunting, detection, and response technology. Founded by former United States Department of Defense (DoD) and intelligence security experts, we fuse real security with real responses to protect what’s most important to you. Our true, 24/7 Managed Detection & Response (MDR) service works in tandem with our Security Operations Center (SOC) team to take in real-time threat alerts, respond immediately, and eradicate malicious actors’ access to your networks. Before lateral movement can happen, trust Blackpoint to eliminate any chance of further compromise. If you’re interested in decades of extensive knowledge in real-world defensive and offensive tactics protecting you and your client’s business, contact us today!