How to Keep Your Clients Safe From Evolving RDP Security Threats

Why Do Cybercriminals Target Remote Desktop Protocols?

If you work with Corvus you’ve likely heard a lot about RDP. Short for Remote Desktop Protocol, this is a common piece of software that’s at the root of many cyberattacks. 

Criminals historically exploited RDP by scanning the web for open ports and brute-forcing weak passwords. Lately, criminals have been able to scan for and exploit RDP servers left unpatched to a vulnerability known as BlueKeep. And as ransomware has grown in popularity among cybercriminals, RDP exploits have emerged as the single most likely attack vector for a successful ransomware attack. (By the way, that’s why we include scanning for open RDP ports as a key part of the Corvus Scan.) 

Most recently we talked about how, as part of the Covid-19 response, many companies may have increased the number of open ports with RDP in an effort to enable seamless remote work, but also increased their exposure if the software was not set up properly. Criminals anticipated the trend, and that led to a reported 6x increase in this style of attack. 

Organizations that have consistently kept tabs on the far reaches of their IT systems fare much better against this type of attack. That means doing things like properly securing RDP ports in use, closing down unused ports when projects are finished, and using multi-factor authentication. (See the end of this post for a full list of recommendations). 

But many organizations aren’t so scrupulous, and it’s easy for things to fall through the cracks. That’s why open ports are now the number one gap in cybersecurity we see.

Evolving RDP Threats

Amid the increase in attack activity surrounding Covid-19, the constant evolution of malware continues. Last month it was reported that a “lesser-known” trojan, with limited functionality, has undergone an upgrade. This malware, known as Sarwent, creates a new Windows user account on an infected computer, enables RDP, and modifies the Windows firewall to allow for RDP access (though there is no indication that Sarwent could change the network-level firewall). While this represents only an incremental change to existing attack approaches, it demonstrates how they constantly evolve and build on one another.

Jason Rebholz, a Principal at the technical advisory firm MOXFIVE, says the trojan highlights why organizations need to implement defense in depth. “The expanding capabilities in the Sarwent trojan showcase threat actors’ continued focus on enhancing malware to serve not only as entry paths into environments but also to maintain access,” says Jason. “Organizations should continue to emphasize robust endpoint controls to mitigate the risk of malware in the environment that could lead to more expansive attacks such as ransomware or data theft.”

This means it’s not enough to "set and forget" your IT system’s defenses. As we saw with the rapid shift to working from home as a result of Covid-19, the situation can change on both ends: IT systems grow and evolve, as do the attackers’ tactics. Regular monitoring and re-assessment of IT posture are crucial. 

To that end, here’s our punch list of top prevention recommendations. 

Top Prevention Recommendations for RDP Security:

• Use a VPN when coming in from remote locations

• Use strong passwords in your environment

• Enable two-factor/multifactor authentication (2FA/MFA) for all remote sessions

• Change the standard RDP port from the default port 3389

• Only enable RDP if necessary

• Close down unused ports when projects are finished

• Patching, patching, and more patching - ensure all software is patched as soon as they are released