News and Updates on Information Technology

Security Advisory- Securing Remote Desktop Protocol (RDP)

With the Thanksgiving Holidays fast approaching, the threat of ransomware attacks on your environment becomes more eminent. To ensure you peace of mind during your time away, with your families and loved ones, we at dinCloud wanted to offer a few suggestions on how you may ensure the security of you Remote Desktop Protocols.

BACKGROUND

Remote administration tools, such as Remote Desktop Protocol (RDP), as an attack vector have increased since the mid-late 2016. with the rise of the dark markets selling RDP Access. Malicious cyber actors have developed methods of identifying and exploiting vulnerable RDP sessions over the Internet to compromise identities, steal login credentials, and ransom other sensitive information. dinCloud’s Security Team recommends that you review and understand what remote accesses are allowed on your networks, and take appropriate steps to reduce the likelihood of compromise, including the disabling RDP, if it is not needed.

VULNERABILITIES

Weak passwords – passwords composed of dictionary words, or characters that do not include a mixture of uppercase/lowercase letters, numbers, and special characters, are vulnerable to brute-force, and dictionary attacks.
Outdated versions of RDP may use flawed CredSSP, the encryption mechanism, thus enabling a potential man-in-the-middle attack.
Allowing unrestricted access to the default RDP port (TCP 3389).
Allowing unlimited login attempts to a user account.

EXAMPLES OF THREATS

CrySiS Ransomware: CrySIS ransomware primarily targets US businesses through open RDP ports, using both brute-force and dictionary attacks to gain unauthorized remote access. CrySiS then drops its ransomware onto the device and executes it. The threat actors demand payment in Bitcoin in exchange for a decryption key.
CryptON Ransomware: CryptON ransomware utilizes brute-force attacks to gain access to RDP sessions, then allows a threat actor to manually execute malicious programs on the compromised machine. Cyber actors typically request Bitcoin in exchange for decryption directions.
Samsam Ransomware: Samsam ransomware uses a wide range of exploits, including ones attacking RDP-enabled machines, to perform brute-force attacks. In July 2018, Samsam threat actors used a brute-force attack on RDP login credentials to infiltrate a healthcare company. The ransomware was able to encrypt thousands of machines before detection.
Dark Web Exchange: Threat actors buy and sell stolen RDP login credentials on the Dark Web. The value of credentials is determined by the location of the compromised machine, software utilized in the session, and any additional attributes that increase the usability of the stolen resources.

SUGGESTIONS FOR PROTECTION**

The use of RDP creates risk. Since RDP has the ability to remotely control a system entirely, usage should be closely regulated, monitored, and controlled. dinCloud recommends implementing the following best practices to protect against RDP-based attacks:

Audit your network for systems using RDP for remote communication. Disable the service if not needed, or install available patches.
Verify all cloud-based virtual machine instances with a public IP do not have open RDP ports, specifically port 3389, unless there is a valid business reason to do so, and change the port number other than 3389. Place any system with an open RDP port behind a firewall and require users to use a Virtual Private Network (VPN) to access it through the firewall.
Enable strong passwords and account lockout policies to defend against brute-force attacks.
Apply two-factor authentication, where possible.
Apply system and software updates regularly.
Maintain a good back-up strategy.
Enable logging and ensure logging mechanisms capture RDP logins. Keep logs for a minimum of 90 days and review them regularly to detect intrusion attempts.
When creating cloud-based virtual machines, adhere to the best practices for remote access.
Ensure third parties that require RDP access are required to follow internal policies on remote access.
Minimize network exposure for all control system devices. Where possible, critical devices should not have RDP enabled.
Regulate and limit external to internal RDP connections. When external access to internal resources is required, use secure methods, such as VPNs, recognizing VPNs are only as secure as the connected devices.
Do not use default domain administrator account “Administrator”
Create separate domain administrator account for administration purpose.

Reference and Links

To see a list of vulnerabilities related to RDP, please refer to: http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=rdp+windows
For further details about securing RDP refer to: https://security.berkeley.edu/education-awareness/best-practices-how-tos/system-application-security/securing-remote-desktop-rdp

We wish you a joyous, blissful, and safe Holiday Weekend.