Spade of Ransomware Attacks through RDP
Prepared by: Kamran Khan - AVP Cyber Security Practice, Securado LLC | 1st July '19
How does one get compromised?
The Defacto standard of operation for Remote Desktop connections is that users have to produce login credentials i.e. username and password in order to access resources. This however, is a weak link in the attack lifecycle as it poses a threat due to the following vulnerabilities:
- Organizations may not follow a strong security policy which clearly states the minimum password requirements such as minimum password length, password complexity, characters used, upper-case/ lower-case, special characters etc.
- Version of the RDP protocol itself is dated.
- Sometimes administrators may inadvertently allow unlimited no. of access login attempts to which may help the attackers infinitely.
- Attackers may also use other techniques such as social engineering to install malicious payloads through drive by downloads through seemingly unsuspecting users through macros etc.
Following ransomware are the most prolific ones making rounds and the attack-type is brute-forcing (dictionary-based technique)
- CryptON ransomware
- Crisis ransomware
- Samsam ransomware
Finally, the thieving parties shall steal and sell these priced assets on the deep-web for monetary gains with parties who would have ulterior motives and may device malicious plans against your organization all without you sniffing these activities. The most interesting piece in the scheme of things or rather if I may put it this way " icing on the cake and cherry on top" situation here is that subsequently all illegitimate entires now are automatically legitimate because of the credentials hence the tools: passwords which are meant to protect users and assets are the same tools used against organizations to compromise the very reason these were created.
Being ahead of the curve against RDP attacks
Here are the ways of protecting RDP:
- Using stronger passwords that comply to a well defined password policy to protect against brute-force attacks and also suspending the account after a specific no. of login attempts is a great way to decrease the attack surface
- Logging is key when it comes to initiating digital investigations in likely cases of persuading forensics in situations of compromise
- Disable RDP on all public facing network devices
- Periodically backing up all sensitive data in the organization
- Two-factor authentication must implemented
- If you don't intend to use the RDP service, just block is indefinitely which will implicitly offer attack protection
- Implement Network Level Authentication so that the hackers can access the GUI
- Deploy proper patch management and software updates for proper threat detection
- Reconfigure the default RDP port to something else so that you are no longer under the radar of port scanning tools
- All third parties who needs access through RFP must have privileges managed as per workflow management and internal approval process