How Attackers Enter Remote Desktops & How to Get Safe?

Swami Nathan Wed, 03/17/2021 - 07:02

New research has identified a large rise in the number of attacks targeting the Microsoft Remote Desktop Protocol (RDP) during the Covid-19 pandemic.

Businesses have gradually switched to Microsoft RDP as a way to help employees operate from home, with a device that allows remote staff to log in to their office computers and access business networks.

Consequently, the number of RDP ports linked to the Internet spiked almost from three million in January to four and a half million by the end of March this year, according to a recent study.  However, this growth also led to a sharp increase in the number of dark web markets selling RDP credentials online.

What is RDP?

If you're concerned about the RDP hack, it's important to know what RDP is and whether your organization is already using it. RDP stands for Remote Desktop Protocol and is a remote-desktop platform that is pre-installed on all Windows PCs.

Companies ranging in scale from a handful of workers to thousands, all use RDP on a daily basis – most often for day-to-day operations. As Windows computers are the recommended devices in most industries, RDP is a widely used method for many companies.

Whether businesses use RDP to provide remote support or share files and data remotely, Microsoft's RDP is a remote desktop preferred solution for many, precisely because it comes automatically installed. As a Microsoft-only product, RDP has some drawbacks when people and employees on your network are using Mac, iOS, or Linux devices (if you're looking for more flexibility, check out Netop's RDP alternative). But the biggest problem with RDP is how popular it is.

Hacking the RDP service of Microsoft

The Microsoft RDP service is allowed through the Microsoft Terminal Services Client (MSTSC) which then specifically loads the "mstscax" DLL from the "C:\Windows\System32" folder without providing necessary verification. As a result, attackers will overwrite this DLL with a malicious one when they have the Windows system administrator privileges, they need.

Another way to implement the attack is to drop the legitimate executable "mstsc.exe" in another user folder together with the malicious "mstscax" DLL. The executable does not use the complete path to load the dynamic library, so the DLL placed in the same folder with the dependent executable will be loaded first in compliance with the Windows search command mechanism. This strategy is close to that of DLL Side Loading and is known as DLL Search Order Hijacking.

For instance, in 2013, the DLL Side Load attack had been used in a nation-state cyber-attack against Pakistan, while Google Updater (a Google utility for downloading and upgrading Google Pack, a Google Bundle, and third-party applications and utilities) was used to load a malicious version of the "goopdate" DLL in the same folder. Upon executed by Google Updater, the evil "goopdate" DLL is decrypted and ran Win32/Darkshell.D backdoor on the victim's device.

In both cases, executable loaders (mstsc.exe, GoogleTool.exe) were digitally signed by Microsoft and Google, helping attackers to circumvent antivirus defences.

The DLL Side Loading technique is known to be used by a number of malicious state-sponsored hacking groups to mount Advanced Persistent Threat (APT) attacks, including APT3 (attributed to China's Ministry of State Security), APT19 (Chinese-based Threat Group), APT32 (Vietnam-based OceanLotus Group), and APT41 (another Chinese state-sponsored espionage group) as well as the famous PlugX Remote Processing.

Why is it hard to detect RDP hacks?

RDP is a network protocol that allows a person to remotely control a device that is connected to the Internet. The remote person sees something on the computer screen that they control, and their keyboard and mouse behave like those physically connected to the remote computer. For remote desktop connections to be created, local and remote machines need to be authenticated by username and password. Cyber players will penetrate the link between the machines and inject malware or ransomware into the remote device. Attacks using the RDP protocol do not require input from the user, making intrusions harder to detect.

What would you do to mitigate the danger of RDP and protect your organization?

How do you reduce the chances of an intruder possessing your network by RDP? Here are a few tips:

Utilize your remote desktop gateway

Make use of a bridge between the public internet and your internal RDP-enabled computers. The Windows Server Remote Desktop Gateway supports SSL/TLS connections over port 443 and relays remote sessions securely to internal devices.

Strengthen your passwords

Manual attackers and software will brutally force weak passwords to gain entry. Install a strict password policy before RDS is enabled.

Consider using the Firewall

Blocking access to port 3389 with a firewall offers another layer of security for those who do not use RDP at all. If a wrongly configured computer has a port opened by accident, then this network-level defence is a fair point.

Use Authentication at Network Level

This functionality, which is switched on by default in modern versions of Windows and Windows Server, requests additional authentication before connecting to a remote computer.

Limit the Access

Removing RDP across the organization might not be suited to many administrators, particularly as remote desktop port use spiked during the COVID-19 crisis. Limiting access will benefit businesses facing this issue. By default, you leave the access available to all users when only a subset is needed to increase the attack surface. Instead, switch off RDP access for those who do not need it, particularly when dealing with administrator privileges.

How does Teceze help prevent attacks from RDP?

Teceze offers a range of other cybersecurity services and can help conduct vulnerability assessments and penetration tests on your network and computers. If we discover any weaknesses, then a mitigation plan will be created for each of them and outlined in a study. We are also available to assist in the implementation of the proposed mitigation strategy.

New research has identified a large rise in the number of attacks targeting the Microsoft Remote Desktop Protocol (RDP) during the Covid-19 pandemic. Businesses have gradually switched....

Recent Post

Cyber-attack on the University of Northampton

Swami Nathan Fri, 04/02/2021 - 05:52

The University of Northampton has experienced a cyber incident that was most likely triggered by a ransomware attack. However, university officials explained that the outage..

What is Network Forensics?

Swami Nathan Thu, 03/25/2021 - 08:15

Your server has just been wiped clean of all traces of an attack by a cybercriminal. Isn't it true that you'll never know where the attack came from or how much damage was done? Not, if you're on the trail of a network....

How to Pick the Most Suitable Server for a Small Business?

Swami Nathan Mon, 03/22/2021 - 07:10

When a small business expands beyond two or three employees, it's time to invest in a server machine for the office. The term "server" can refer to server hardware, software, or the functionality..