The rise in working from home has popularized remote access to the company workplace. Although remote work increases productivity and facilitates some operations, it may also be the gateway that cybercriminals have been waiting for. According to the latest 2022 Verizon Data Breach Investigations Report, misuse of remote access is the fourth most common initial attack vector.
The key issue with Remote Desktop Protocol (RDP) is that the way it’s configured means it’s accessible via the Internet. Criminals scour the Internet for RDP servers and usually don’t have any trouble finding them. A search engine designed to track devices with exposed ports or protocols on the Internet has found more than four million exposed RDP ports. Recently, news circulated of more than 8,000 exposed virtual network computing (VNC) devices that allow network access without requiring authentication. The most worrying part is that many of them belong to critical infrastructure organizations.
Cybercriminal gangs, such as the Conti ransomware group, have used this attack vector to deploy ransomware on their victims' networks. The Colonial Pipeline attack carried out by the DarkSide group is another example of how remote access can become a big problem. In this case, the hackers managed to perpetrate one of the largest cyberattacks in recent years by exploiting an exposed password for the company’s VPN.
What are the risks associated with misconfigured servers that are exposed to RDP attacks?
There are three main methods hackers use to target companies: denial of service (DDoS) attacks, ransomware and data breaches.
- DDoS attack: RDP servers can amplify this type of threat with an amplification factor of 85.9, which means hackers can misuse these services to direct massive amounts of traffic to their targets, thus collapsing the service.
- Ransomware deployment: Threat actors break into an organization's network through the RDP, then scan it from the inside and place ransomware on high-value systems. This mechanism was the most common ransomware delivery method in 2020.
- Data breach: Once inside the network, criminals move about laterally to exfiltrate the company's key data either to sell it or exert pressure. On occasions, hackers steal data while encrypting it with ransomware.
Basic preventive measures, based on good "cyber hygiene" habits in network configuration, can be applied. For example, there are several options to protect RDP access on a Windows server, including limiting access via IP, connecting to the server via VPN, or changing RDP ports.
The following preventive and proactive measures to detect and address remote access and other intrusion techniques should be highlighted for their effectiveness and alignment with a zero-trust design:
- MFA: In most cases, servers with public Internet access RDP do not enable multi-factor authentication (MFA). This means hackers can get inside the network by simply entering the IP address of the device they want to access.
- VPN: By using a VPN, the solution creates an encrypted tunnel for network traffic between the remote user and the corporate network. VPNs can also support MFA to mitigate the threat of compromised accounts. However, it is important to note that VPNs can be vulnerable if they aren’t updated or patched regularly.
- Remote access logs: As an additional measure, it is necessary to maintain a login history and audit for remote users. This is the first thing to check if it is suspected that the network has been compromised.
- EDR (endpoint detection and response) security: Deploying a solution capable of detecting misuse of RDP access attempts and addressing these advanced threats is paramount when protecting servers or devices in an organization.
The importance of detection and response
When setting up secure remote access, it is critical to ensure that endpoints are protected against intrusion attempts like living-off-the-land attacks, which can evade conventional security solutions. Organizations that implement a comprehensive solution that protects their devices using a zero-trust model that provides additional layered protection will gain a significant advantage. In this regard, WatchGuard EPDR protects both PCs and laptops, as well as servers, by combining protection against malware and non-malware-based attacks. Using the EDR component, WatchGuard continuously monitors endpoints and uses artificial intelligence to classify the various execution processes and classify them as malware or trusted, allowing only trusted processes to run on the devices and blocking those executed by an intruder using RDP access to devices. In addition to being able to identify an RDP attack, the solution can prevent incidents by blocking traffic from IP addresses from which brute-force attacks to exposed RDP servers are detected, which means the attack is contained before the brute-force access credentials are obtained.
Moreover, the threat hunting service, included by default in WatchGuard EDR and WatchGuard EPDR solutions, thwarts hackers’ attempts to exploit vulnerable RDP access, as the service will proactively scan any suspicious activity for evasion techniques and anomalous behavior patterns in order to prevent, among other things, remote access from becoming a nightmare for organizations.