Remote Desktop Protocol (RDP) Vulnerability Exposes Millions of Users

Cyber-criminals take advantage of a familiar sys admin tool

They say familiarity breeds contempt, but in the realm of cybersecurity, it also opens the door to vulnerability. Few things inflame a CISO’s contempt more quickly than exposing their enterprise’s sensitive data to hackers, but that is just what many sys admins are doing by relying on Microsoft’s all-too-familiar Remote Desktop Protocol (RDP).

RDP is a Microsoft-developed tool that uses a graphical interface to connect one computer to another over a network. While providing a handy way for sys admins to make quick changes and updates to a user’s computer, it also can also grant the same easy access to cyber-criminals.

“Let’s face it, it’s familiar,” CSO Online reported in discussing the latest RDP vulnerability. “It uses tools and techniques that we’ve used for years. It provides us with a resulting desktop that we’re familiar with. That familiarity means that attackers are familiar with it, too.”

According to British security company Sophos, cybercriminals are exploiting RDP to launch an increasing number of ransomware attacks. Many are leveraging a “wormable” vulnerability called Bluekeep that has the ability to spread self-replicating malware quickly across the internet in targeted RDP attacks.

Hackers are able to trigger mass ransomware outbreaks and take down RDP services, forcing their way into networks that often comprise thousands of other RDP services like a hungry fox in the data henhouse. These vulnerabilities also allow hackers to leverage password guessing software in brute-force attacks on RDP-connected computers.

If you are still using RDP to connect computers across your enterprise, Saalex recommends avoiding opening a direct RDP connection to the internet. Instead, employ a Remote Desktop web client. This option runs over the more secure HTTPS protocol, which encrypts communication to avoid man-in-the-middle attacks and other threats. This option allows you to publish apps and run a desktop environment using your internet browser of choice.

You can achieve additional peace of mind by deploying a Multi-factor Authentication (MFA) solution, such as those provided by DUO or Microsoft. Installed in front of the portal, such a solution acts as an application proxy, enforcing both MFA and single sign-on (SSO) access control. Azure AD allows you to determine password complexity and temporarily disable login after a set number of failed attempts.

Once implemented the above solutions provide the following safeguards:

• HTTPS-encrypted tunnel — Provides secure transmission to and from your PC during RDP sessions
• Secure Sockets Layer (SSL) certification — Tells your users they have the right site for their internet browser
• Microsoft Azure MFA — Provides an app that will push notifications to your smartphone for quick authentication (notifications if you are not logging in, and quick denial to lock your account)
• Enforced Password Complexity — Reduces the success of blunt-force attacks
• Tarpit — Locks accounts for 15 minutes after multiple brute force attempts
• SSO — Provides access control if you are using Office365 or Azure AD Connect
• Session-based Connection – Allows you to build multiple RDP servers and migrate your sessions between them to meet high-availability needs or to conduct Windows patch testing.

Another step an enterprise can take to reduce exposure to brute-force password attacks is to use the native Windows firewall to set a rule limiting a machine’s access to specific IP addresses.

RDP also poses a threat to cloud computing vendors. Security experts recommend these enterprises modify the default configurations in their standard machine images. This includes updating remote administration configurations for cloud instances running Windows, which can help reduce the number of potential RDP attack targets.

The only drawback to these solutions is that they are a bit more complicated to set up than a standard RDP server. The good news is that Valeo Networks has the expertise to assist you in securing or refreshing your current RDP solution before hackers can take advantage of any “familiar” vulnerabilities. Contact us today for a complete assessment of your current cybersecurity posture, including any unaddressed RDP-related issues.