contact us

RDP Exposures

by Apr 3, 2020

RDP Exposures

In the midst of the SARS-CoV-2 (aka COVID-19) pandemic, governments around the world are locking down non-essential businesses, and many industries are moving to remote access work in order to limit the exposure of their employees to the disease. However, in this rush, work-from-home solutions are often provided in unsafe ways that may be increasing the organization’s attack surface and exposing themselves to cybercriminals.

One easy trend to analyze is the increased use of Remote Desktop Protocol (RDP). RDP is a feature of Microsoft Windows that allows a computer to be accessed over the network (TCP port 3389), enabling a user to interface with the Windows environment without having to directly be at the physical machine. Shodan, an internet scanning project, reports that in the past month there has been a 40% increase in the number of computers exposing RDP directly to the internet.[1]

The RDP protocol has seen several high-profile vulnerabilities over the past year:

  • May 2019: BlueKeep[2] (CVE-2019-0708)
  • August 2019: DejaBlue[3] (CVE-2019-1181 and CVE-2019-1182)
  • January 2020: BlueGate[4] (CVE-2020-0609 and CVE-2020-0610)

These vulnerabilities against RDP and supporting services such as the Remote Desktop Gateway have been exploited to introduce malware from coin miners to ransomware into internal networks worldwide. In addition, credential brute-forcing over RDP has significantly increased in the past year. Many organizations do not enforce strong password policies, and users are notorious for password re-use.

Attacks against Server Message Block (SMB), another important remote Windows protocol providing features such as file shares (TCP ports 139/445), have been well documented over the years:

  • 2008: Conficker via MS08-067
  • 2017: WannaCry, NotPetya, and many other malwares via MS17-010 (EternalBlue)
  • March 2020: SMBGhost[5] (CVE-2020-0796) a remote code execution in the latest SMBv3 protocol

RiskSense highly recommends that protocols such as RDP and SMB not be placed directly on the global internet. These services are safest when hidden behind a firewall device, and only accessible through a VPN to the internal network. When VPN is not available and remote access to these services is required the risk can be reduced by using IP whitelisting to restrict access to IP addresses known to correspond to the home internet connections of remote workers. Of course, the latest Microsoft patches should be applied to all computers on the organization’s network.

It is important in these times to not only move rapidly, but to do so in robust and secure ways. An organization inflicted with ransomware will likely suffer months of lost productivity and irreparable brand damage. It is worth paying the cost up front to set up work-from-home environments properly.

________________________________

[1] https://blog.shodan.io/trends-in-internet-exposure/
[2] https://en.wikipedia.org/wiki/BlueKeep
[3] https://msrc-blog.microsoft.com/2019/08/13/patch-new-wormable-vulnerabilities-in-remote-desktop-services-cve-2019-1181-1182/
[4] https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0609
[5] https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796