How to Keep Your Clients Safe From Evolving RDP Security Threats
Why Do Cybercriminals Target Remote Desktop Protocols?
If you work with Corvus you’ve likely heard a lot about RDP. Short for Remote Desktop Protocol, this is a common piece of software that’s at the root of many cyberattacks.
Criminals historically exploited RDP by scanning the web for open ports and brute-forcing weak passwords. Lately, criminals have been able to scan for and exploit RDP servers left unpatched to a vulnerability known as BlueKeep. And as ransomware has grown in popularity among cybercriminals, RDP exploits have emerged as the single most likely attack vector for a successful ransomware attack. (By the way, that’s why we include scanning for open RDP ports as a key part of the Corvus Scan.)
Most recently we talked about how, as part of the Covid-19 response, many companies may have increased the number of open ports with RDP in an effort to enable seamless remote work, but also increased their exposure if the software was not set up properly. Criminals anticipated the trend, and that led to a reported 6x increase in this style of attack.
Organizations that have consistently kept tabs on the far reaches of their IT systems fare much better against this type of attack. That means doing things like properly securing RDP ports in use, closing down unused ports when projects are finished, and using multi-factor authentication. (See the end of this post for a full list of recommendations).
But many organizations aren’t so scrupulous, and it’s easy for things to fall through the cracks. That’s why open ports are now the number one gap in cybersecurity we see.
Evolving RDP Threats
Amid the increase in attack activity surrounding Covid-19, the constant evolution of malware continues. Last month it was reported that a “lesser-known” trojan, with limited functionality, has undergone an upgrade. This malware, known as Sarwent, creates a new Windows user account on an infected computer, enables RDP, and modifies the Windows firewall to allow for RDP access (though there is no indication that Sarwent could change the network level firewall). While this represents only an incremental change to existing attack approaches, it demonstrates how they constantly evolve and build on one another.
Jason Rebholz, a Principal at the technical advisory firm MOXFIVE, says the trojan highlights why organizations need to implement defense in depth. “The expanding capabilities in the Sarwent trojan showcase threat actors’ continued focus on enhancing malware to serve not only as entry paths into environments but also to maintain access,” says Jason. “Organizations should continue to emphasize robust endpoint controls to mitigate the risk of malware in the environment that could lead to more expansive attacks such as ransomware or data theft.”
This means it’s not enough to "set and forget" your IT system’s defenses. As we saw with the rapid shift to working from home as a result of Covid-19, the situation can change on both ends: IT systems grow and evolve, as do the attackers’ tactics. Regular monitoring and re-assessment of IT posture are crucial.
To that end, here’s our punch list of top prevention recommendations.
Top Prevention Recommendations for RDP Security:
Use a VPN when coming in from remote locations
Use strong passwords in your environment
Enable two-factor/multifactor authentication (2FA/MFA) for all remote sessions
Change the standard RDP port from the default port 3389
Only enable RDP if necessary
Close down unused ports when projects are finished
Patching, patching, and more patching - ensure all software is patched as soon as they are released
On January 5th, we hosted a webinar with Lynn Sessions and Paul Karlsgodt of BakerHostetler to discuss pixel tracking technology, the culprit behind the latest ad tech litigation and regulatory trend. Below is an exploration of prior and current website tracking litigation, and how it may impact non-regulated industries.
At its best, insurance helps businesses manage and mitigate the risks they worry about most, and helps make everyone safer along the way. The data insurers have on effective interventions — and the lever of pricing to guide policyholders’ actions — are a powerful combination. Over time, the insurance industry has helped make buildings, work sites, and transportation safer – the key uncertainties people cared about.