RDP – the gift that keeps on giving

It’s long been known (at least in security circles) that the RDP protocol, as well as client and server implementations, are horribly broken. While a BlueKeep (the most recent RDP vulnerability) worm has yet to surface, brute-force password attacks on RDP services are a dime a dozen and occurring at a rapid rate.

PoC code is available for DoS attacks and limited RCEs on BlueKeep, and while attacks in the wild have yet to be seen, this is a case of when rather than if.

A recent honeypot test with 10 RDP servers across the world, resulted in the 1st service being identified in 1m30sec. There were 4.3 million login attempts on these honeypots with a logarithmically increasing rate over a period of a month, after which the test was ended.

There are 2 critical security issues that are currently being used with RDP attacks:

  • ransomware
  • cryptomining

Both of these security issues have a prominent financial incentive for the attackers, and with a typically low-cost/effort attack, these are seeing widespread use.

At least 5 malware families are being used for ransomware attacks at the moment including Ryuk, a very destructive piece of malware (municipal services in the US are being infected at e rapid rate), that is generally distributed through Trickbot with spam email or the Emotet download trojan. Powershell is a common tool used by Trickbot to infiltrate targets and install Ryuk …

Brute-password attacks remain an effective method for infiltration as well purely due to the use of poor password choices amongst RDP machine operators/admins, even in the face of decades of user education. The lack of security controls on RDP by Microsoft is also an issue – a simple 2FA/OTP or PKI requirement would stop this issue dead in its tracks. But admins are resistant against changes because any additional security would impact the ease of use of RDP (and other access mechanisms). In addition, Microsoft’s recommended practices and design for RDP require significant infrastructure (AD, RDP gateway, RDP proxy, MFA) and skill which is beyond most excepting large enterprises.

So if RDP is so bad, why is it sill seeing significant use with direct exposure to the internet?

  • poor security practices
  • complexity of (and skill required for) running a recommended configuration
  • inexperienced/unskilled administrators
  • bad firewall configurations
  • plain ignorance

Until RDP is replaced or improved, the buck stops with administrators though. They can lessen their company’s exposure to attack by using Remote Desktop Gateway and enabling multi-factor authentication. While effective against credential harvesting, this still leaves RDP servers exposed to zero-day exploits or unpatched vulnerabilities such as BlueKeep.

VPNs should be used for secure remote access before RDP is available – this removes public exposure of RDP completely and significantly increases the complexity for attackers in using this service to distribute malware.

Administrators can further harden their machines against credential harvesting by not allowing domain administrators to log in via RDP; enabling RDP for only the people who need it; securing idle accounts; rate-limiting or capping the number of password retries each user is allowed; and strength testing users’ passwords.

RDP should not be directly exposed to the Internet. At all. Simple. Don’t do it.