12 June 2020
Corvus Team

Threats to RDP security are evolving. Here’s how your clients can stay safe.

If you work with Corvus you’ve likely heard a lot about RDP. Short for Remote Desktop Protocol, this is a common piece of software that’s at the root of many cyberattacks.

If you work with Corvus you’ve likely heard a lot about RDP. Short for Remote Desktop Protocol, this is a common piece of software that’s at the root of many cyberattacks. 

Criminals historically exploited RDP by scanning the web for open ports and brute-forcing weak passwords. Lately, criminals have been able to scan for and exploit RDP servers left unpatched to a vulnerability known as BlueKeep. And as ransomware has grown in popularity among cybercriminals, RDP exploits have emerged as the single most likely attack vector for a successful ransomware attack. (By the way, that’s why we include scanning for open RDP ports as a key part of the Corvus Scan.) 

Most recently we talked about how, as part of the Covid-19 response, many companies may have increased the number of open ports with RDP in an effort to enable seamless remote work, but also increased their exposure if the software was not set up properly. Criminals anticipated the trend, and that led to a reported 6x increase in this style of attack. 

Organizations that have consistently kept tabs on the far reaches of their IT system fare much better against this type of attack. That means doing things like properly securing RDP ports in use, closing down unused ports when projects are finished, and using multi factor authentication. (See the end of this post for a full list of recommendations). 

But many organizations aren’t so scrupulous, and it’s easy for things to fall through the cracks.  That’s why open ports are now the number one gap in cybersecurity we see.

Evolving RDP Threats

Amid the increase in attack activity surrounding Covid-19, the constant evolution of malware continues. Last month it was reported that a “lesser-known” trojan, with limited functionality, has undergone an upgrade. This malware, known as Sarwent, creates a new Windows user account on an infected computer, enables RDP, and modifies the Windows firewall to allow for RDP access (though there is no indication that Sarwent could change the network level firewall). While this represents only an incremental change to existing attack approaches, it demonstrates how they constantly evolve and build on one another.

Jason Rebholz, a Principal at the technical advisory firm MOXFIVE, says the trojan highlights why organizations need to implement defense in depth. “The expanding capabilities in the Sarwent trojan showcase threat actors’ continued focus on enhancing malware to serve not only as entry paths into environments but also to maintain access,” says Jason. “Organizations should continue to emphasize robust endpoint controls to mitigate the risk of malware in the environment that could lead to more expansive attacks such as ransomware or data theft.”

This means it’s not enough to ‘set and forget’ your IT system’s defenses. As we saw with the rapid shift to working from home as a result of Covid-19, the situation can change on both ends: IT systems grow and evolve, as do the attackers’ tactics. Regular monitoring and re-assessment of IT posture is crucial. 

To that end, here’s our punch list of top prevention recommendations. 

Prevention Recommendations for RDP Security

  • Use a VPN when coming in from remote locations
  • Use strong passwords in your environment
  • Enable two-factor/multifactor authentication (2FA/MFA) for all remote sessions
  • Change the standard RDP port from the default port 3389
  • Only enable RDP if necessary
  • Close down unused ports when projects are finished
  • Patching, Patching and more patching – ensure all software is patched as soon as they are released

Mike Karbassi

Mike Karbassi is Vice President and Head of Cyber Underwriting at Corvus. He specializes in Network Security, Privacy Liability, Technology E&O, Media Liability, and Miscellaneous Professional Liability. Karbassi has over a decade of experience in insurance and is a graduate of the Boston University Questrom School of Business.

Gerritt Graham

Gerritt is the Chief Commercial Officer at Corvus. He has over 20 years of sales and marketing experience, primarily focused on technology and data solutions for the financial services industry.

James McElhiney

James co-founded Corvus and is the company’s Chief Technology Officer. A 30+ year technology veteran, Jaimie most recently served as CTO of Iora Health and previously co-founded Gazelle.

Mike Lloyd

Mike Lloyd is the Co-Founder and Chief Product Officer of Corvus Insurance. Previously, Mike co-founded Poncho, a personal lines agency InsurTech startup, and was a venture investor at FJ Labs. Mike has an MBA from Harvard Business School and engineering degrees from Virginia Military Institute and MIT.

Phil Edmundson

Phil is the founder and CEO of Corvus. A 30+ year insurance veteran, Phil co-founded broker William Gallagher Associates (acquired by Arthur J Gallagher in 2015) and was an active leader in both the Worldwide Broker Network and Council of Insurance Agents and Brokers. Phil is the Managing Partner of Edmus Ventures where he invests in InsurTech companies including Verifly, Wellthie, Agentero, and Cover Wallet, and serves on the board of Cover Wallet.

Play Video