Companies forced to use remote work environments after the COVID-19 pandemic may have exposed themselves to the possibility of Remote Desktop Protocol (RDP) attacks.
At the beginning of 2020, the global Lockdown was introduced, which meant that a whole lot of entrepreneurs started working from home by means of remote desktop software. The pandemic became a prime opportunity for hackers to launch RDP attacks by identifying and exploiting public servers with open ports and unpatched vulnerabilities. Hackers then used common intrusion techniques, such as brute force password attacks, to gain access to these organizations' vulnerable infrastructure and data.
Once inside, attackers exploit unpatched common vulnerabilities and exposures (CVEs). Each CVE entry has a unique identifier consisting of the year of publication and a four-digit serial number. For example, CVE-2019-1182 is a "wormable" vulnerability from 2019, meaning malware that exploits a server with this vulnerability can spread from one vulnerable computer to another without user intervention.
Another wormable vulnerability, CVE-2019-07083, is used to execute and exploit remote code and deliver malicious Ransomware payloads on targeted machines. Attackers in control of a single machine can escalate user privileges, exfiltrate valuable data, and then spread malware to another machine on the network. With this foothold in privilege escalation, attackers can quickly find malware and Ransomware disseminate throughout the organization. These types of attacks all start with an RDP attack.
How to Prevent RDP Attacks
Such attacks are inevitable to some extent. But there are steps organizations can take to better detect vulnerabilities and respond more effectively if an attack occurs.
Sometimes blocking all open RDP ports is not an option, such as when engineers and administrators need access for business continuity. In these cases, audit logs must be continuously logged and monitored for suspicious activity. Keep an eye on authentication logs with event ID 4625 that are destined for the potential servers that can be exploited. Keep a cumulative count of the different usernames trying to login.
Watch closely for login failures and incoming RDP connections. Log IP addresses that exhibit this behavior and track their activities. Then compare that IP address to any suspicious activity happening on machines on the network. If you see successful but suspicious logins with RDP, investigate the target server to identify the malicious vector. Then you can control and eradicate the threat before it infects other machine(s) on the network.
You should also perform vulnerability assessments for each public server and immediately patch all servers found. A delay in patching known vulnerabilities increases the risk of an attack. If RDP ports must remain open, integrate a jump server into your network. A jump server is a hardened, tightly controlled device that sits between two different security zones and can help limit access to more sensitive infrastructure and data. Requiring RDP or SSH communication to go through a jump server allows malicious factors prevent malware distributed or restricted to service ports with controlled access.
You would also restrict server access and IP connections to authorized users. Use strong passwords and maintain password strength. Use a custom port for RDP to thwart port scanners; by default, the server listens on port 3389 for both TCP and UDP. Changing the gate won't stop a determined attacker, but it will make you a harder target.
How to deal with an attack
If, despite your precautions, an RDP attack succeeds, you must perform a post-mortem and determine what went wrong. Once you can identify the vulnerabilities and resolve any loopholes. By taking these steps, you can protect your business from future damage.
Do you think you have been hacked or do you suspect that you have been the target of a hack? Then don't hesitate any longer and take matters into your own hands and contact Flexamedia. We arrange the technical knowledge and the necessary utilities in the field of IT security to ensure that you can continue working without worries.
