Rise of RDP as a target vector
Recent reports of targeted attacks using RDP as an initial entry vector have certainly caused significant headlines in lieu of the impact they have caused. In the midst of city wide impacts, or even million dollar (plus) demands it is easy to overlook the initial entry vector.
What began as ‘targeted’ emails focusing on predominantly consumers, the evolution of ransomware has widened to incorporate pseudo attacks intended purely for destruction (e.g. no viable decryption capability, or limited), to precision extortion against corporations or public sector organizations.
What was particularly surprising is the speed with which RDP was quickly adopted as the initial entry vector as was depicted in research by Coveware.
As we contemplate the meaning of the term targeted, we have to recognise that in many cases victims are targeted merely due to the cybercrime eco-system. The advent of RDP shops selling RDP credentials is undoubtedly fuelling the rise of such attacks, coupled with the release of vulnerabilities against the protocol suggests the worst could well be yet to come.
Following publication of the Critical Watch report by Alert Logic it was revealed that the ports that “have the most vulnerabilities are SSH (22/TCP), HTTPS (443/TCP) and HTTP (80/TCP) made the top three with 65 percent of the vulnerabilities. It is, however, interesting to note that the recent MS RDP BlueKeep attack targets the fourth most popular port, RDP/TCP”.
Whilst measures to reduce the risk of RDP being exploited focus around advice of maintaining good cyber hygiene its renewed focus should encourage particular measures that go above and beyond generic advice. Indeed a detailed guide by Darren Fitzpatrick, John Fokker and Eamonn Ryan provides a number of measures that should be considered which can be broken down into the following categories:
- Authentication: Where multifactor authentication cannot be used it is important to enforce strong passwords, and implement appropriate policies such as to block attempted (failed) logons.
- Network layer: Where RDP is necessary it is imperative to lock down access with the appropriate filtering implemented at the perimeter, for example defining the source IPs that can access the service.
- Additional security measures: The use of an RDP gateway, or the use of encryption fall into this category.
Whilst the above are only a snapshot of some of the measures that are available, the rise in such attacks should demand a specific focus on the risk that RDP represents. Organizations are advised the rise in ransom demands (now often into six figures) suggests it will be more cost effective to implement such controls than paying/recovering from a ransomware attack. Moreover the rise of Sodinokibi hitting our RDP honeypots today suggest that RDP will stay in focus by criminals looking to make more money through criminal gain.