06.12.20
Corvus Team

How to Keep Your Clients Safe From Evolving RDP Security Threats

Why Do Cybercriminals Target Remote Desktop Protocols?

If you work with Corvus you’ve likely heard a lot about RDP. Short for Remote Desktop Protocol, this is a common piece of software that’s at the root of many cyberattacks. 

Criminals historically exploited RDP by scanning the web for open ports and brute-forcing weak passwords. Lately, criminals have been able to scan for and exploit RDP servers left unpatched to a vulnerability known as BlueKeep. And as ransomware has grown in popularity among cybercriminals, RDP exploits have emerged as the single most likely attack vector for a successful ransomware attack. (By the way, that’s why we include scanning for open RDP ports as a key part of the Corvus Scan.) 

Most recently we talked about how, as part of the Covid-19 response, many companies may have increased the number of open ports with RDP in an effort to enable seamless remote work, but also increased their exposure if the software was not set up properly. Criminals anticipated the trend, and that led to a reported 6x increase in this style of attack. 

Organizations that have consistently kept tabs on the far reaches of their IT systems fare much better against this type of attack. That means doing things like properly securing RDP ports in use, closing down unused ports when projects are finished, and using multi-factor authentication. (See the end of this post for a full list of recommendations). 

But many organizations aren’t so scrupulous, and it’s easy for things to fall through the cracks.  That’s why open ports are now the number one gap in cybersecurity we see.

Evolving RDP Threats

Amid the increase in attack activity surrounding Covid-19, the constant evolution of malware continues. Last month it was reported that a “lesser-known” trojan, with limited functionality, has undergone an upgrade. This malware, known as Sarwent, creates a new Windows user account on an infected computer, enables RDP, and modifies the Windows firewall to allow for RDP access (though there is no indication that Sarwent could change the network level firewall). While this represents only an incremental change to existing attack approaches, it demonstrates how they constantly evolve and build on one another.

Jason Rebholz, a Principal at the technical advisory firm MOXFIVE, says the trojan highlights why organizations need to implement defense in depth. “The expanding capabilities in the Sarwent trojan showcase threat actors’ continued focus on enhancing malware to serve not only as entry paths into environments but also to maintain access,” says Jason. “Organizations should continue to emphasize robust endpoint controls to mitigate the risk of malware in the environment that could lead to more expansive attacks such as ransomware or data theft.”

This means it’s not enough to "set and forget" your IT system’s defenses. As we saw with the rapid shift to working from home as a result of Covid-19, the situation can change on both ends: IT systems grow and evolve, as do the attackers’ tactics. Regular monitoring and re-assessment of IT posture are crucial. 

To that end, here’s our punch list of top prevention recommendations. 

Prevention Recommendations for RDP Security

  • Use a VPN when coming in from remote locations

  • Use strong passwords in your environment

  • Enable two-factor/multifactor authentication (2FA/MFA) for all remote sessions

  • Change the standard RDP port from the default port 3389

  • Only enable RDP if necessary

  • Close down unused ports when projects are finished

  • Patching, patching, and more patching - ensure all software is patched as soon as they are released

[RELATED POST] Tech Companies: Beyond Cyber Risk, the Cost of Downstream Impact

Tech Companies: Beyond Cyber Risk, the Cost of Downstream Impact

The rise of remote work and growing concerns over ransomware acted as partners-in-crime to get organizations to hone in on risk mitigation efforts over the past couple years. Through compiling our Risk Insights Index, we found that with certain initiatives —  safer or reduced usage of RDP, growing use of email security tools, and other measures taken to limit the impact of threat actors — businesses are more prepared than a year before and ready to play defense. Those efforts are borne out in our finding that the rate of companies who pay a ransom when attacked with ransomware fell by half within a year. 

[RELATED POST] Tips from Top Brokers: How to Play Offense in a Cyber Hard Market

Tips from Top Brokers: How to Play Offense in a Cyber Hard Market

The whisperings of “firming rates” start first, quietly in business meetings, then published in industry reports. Soon to follow, rumblings of a “hard market” are brought to the conversation. It’s cyclical in nature, and we see it across all insurance lines at one point or another. For years, Cyber Insurance stretched far and wide with “soft” market conditions, remaining highly profitable. Now that period of growth, with exceedingly available coverage and inviting terms, has stalled in the face of a hard market.