Remote Access Surge is Nirvana for Hackers

Featured article by James Lui, CTO of Ericom Software for the Americas

Back in the days of Windows XP, Microsoft unleashed its Remote Desktop Connection client (also known as RDP, for Remote Desktop Protocol), a version of which has appeared in every subsequent version of its operating system. Problems, however, have emerged in nearly every version of the protocol, with vulnerabilities including:

* Man-in-the-middle attacks
* harvesting
* Remote code execution

All told, the official list of Common Vulnerabilities and Exposures (CVEs) contains no fewer than 40 entries for RDP. What’s unfortunate, of course, is that more businesses are using RDP than ever before—something that has led to a dramatic increase in attacks leveraging the RDP protocol.

How Are Businesses Vulnerable to RDP Attacks?

With offices suddenly being closed as a result of the COVID-19 pandemic, large numbers of companies began using Microsoft’s built-in RDP, as well as RDP solutions developed by other vendors, to let their employees remotely access the desktops that they normally used in the office. Employees who are working from home, use business or personal computers to log into their work computers via RDP, and see the full desktop and application suite that they normally use.

Although this is convenient for workers, it’s equally convenient for attackers: Any attacker who steals a user’s credentials, for example with a keylogger, can get the same level of access as the actual user.   Attackers can also scan for open RDP ports and just try to login—the username and password are the only defense, and mechanisms that lock users out if they make too many attempts are not always enabled. As such, attackers can “brute force” open RDP ports by trying to log in with random username/password combinations—often making thousands or tens of thousands of attempts until they succeed — of move on to the next victim. Security researchers have found that RDP attacks increased by 330 percent during March 2020, and reached a shocking 1.4 million attacks per day the following month.

What’s the Endgame for an RDP Breach?

Once an attacker obtains access to a RDP connection, they have a rich menu of options. What they do next usually depends on the kind of organization they breach, however. For example, the FBI recently warned K-12 schools that RDP hackers are targeting their networks with intent to install ransomware.

Having access to a network via RDP makes it easy to install ransomware, and school networks are a great target. Where a large bank may be able to detect an attempt to compromise an open RDP port or mitigate an attempt to deploy ransomware (the word “may” is doing a lot of heavy lifting here), K-12 schools rarely have sufficient resources for robust malware defense. Once compromised, schools can either pay the ransom or spend weeks trying to get their files back—just what they need while struggling to provide distance learning in the middle of a pandemic.

K-12 schools aren’t the only ones vulnerable to ransomware, of course. Both enterprises and small businesses are equally vulnerable to RPD attackers dropping ransomware, and these attackers have begun adding an extra twist to their ransoms. Because hacking RDP connections makes it easy to harvest information about a company, many attackers now threaten to leak information that they steal unless their ransom is paid. This gives companies an extra incentive to pay up and gives attackers an excuse to jack up the price, which now averages $84,00 per incident.

RDP hackers don’t just drop ransomware, of course. Corporate espionage, insider trading, identity theft, and other crimes are all possible and easy with the misuse of RDP. Really, the extent of the damage is limited only by an attacker’s imagination.

How do you Protect your Organization from RDP Attacks?

There are a few things you can do to protect your users’ RDP connections:

First, mandate that your employees use long and complex passwords. This will have some protective effect, but not enough on its own. Supplementing with two-factor authentication can also seriously cut down on attackers’ ability to brute force credentials without seriously impeding workflows. With a little more effort, you can require users to only connect to RDP via an encrypted connection such as a VPN.

It is prudent to assume that your network will be breached, regardless of which security measures you implement. It’s crucial to protect your systems in the event a breach is successful. Use antivirus on endpoints to protect against known ransomware strains. Back up your data in case your antivirus can’t stop the ransomware that your attackers use.

Use best practices to prevent attackers from seeing exposed RDP ports. If RDP is used for remote access, find a more robust solution than the basic default client. We recommend a web-based remote desktop that can be centrally configured, and does not require users to download a client. Instead of depending on remote users to handle configuration on their endpoints — and spending long, frustrating support sessions helping them out— administrators can set one secure configuration for the entire company. Finally, the solution you pick should be able to connect securely from outside the firewall.

Although RDP presents some inherent risks, its undeniable convenience means that it won’t go away soon. Keeping your company operational amidst the pandemic and fears of a second lockdown means making smart choices about security and productivity. Choosing a secure RDP product is a key factor that can have a huge impact on your company’s security.

Author Bio

James Lui is CTO of Ericom Software for the Americas and one of the leading experts in secure browsing and virtualization, James has been evangelizing the merits of browser isolation, secure remote access, and application virtualization at industry conferences and partner engagements.         He has guided countless customers in healthcare, government, finance, education and retail in architecting and deploying Ericom’s range of enterprise-grade connectivity and security products.