Attackers on the Hunt for Exposed RDP Servers

April 28, 2020 Gil Rapaport

Privileged Access Management and Remote Desktop Protocol (RDP)

From the onset of the Covid-19 outbreak until the end of March, Shodan (a global search engine that scans and indexes internet-connected devices) tracked a 41% spike in Remote Desktop Protocol (RDP) usage. This makes sense since RDP is a popular way for users to access Windows machines and servers remotely over their VPN connections.

Organizations have ramped up RDP use to enable their remote workforce and maintain business operations during this time of uncertainty. Yet, while RDP is more secure than remote connection tools that do not encrypt entire sessions, two critical RDP vulnerabilities disclosed in the past year – BlueKeep and DejaBlue – highlight potential security risks. (You can learn more about these in this Threat Research blog).

In a recent SANS Technology Institute podcast, Dean of Research Johannes B. Ullrich, Ph.D. reported a sharp increase in exposed RDP servers (between 20-30%) and connected this surge to the number of system administrators now working from home. These “power users” have privileged access and are now managing servers from remote locations.

Cyber attackers have taken advantage of sysadmins working remotely and are dedicating more resources to scanning for the standard RDP port 3389 to see what has been exposed. They’ve also launched a wave of brute-force attacks using automation tools to systematically test username and credential combinations until they crack the code.

In a story told time and time again, once attackers gain an administrator’s privileged credentials, they can move laterally through the environment, escalating privileges until they reach valuable targets like the domain controller or cloud console. This access allows them to control any server, controller, endpoint or piece of data anywhere on a network. They can run commands, disable antivirus software, install malware, encrypt data for ransom or steal valuable data, including PII.

Fortunately, there are a few steps organizations can take to improve RDP security and reduce the risk of a data breach:

  1. Limit Privileged Access. By default, all administrators can log into RDP. Implement the principle of least privilege by limiting administrative privileges to only those who absolutely need it. Even better, layer in and enable just-in-time provisioning for remote vendors who are not part of the directory service so that their access is time-limited. Be sure to monitor and track all user access and activity during privileged sessions, especially for Tier0 assets like domain controllers or cloud consoles.
  2. Keep software up-to-date on all remote Windows machines connecting to the internet – including Windows 7 workstations.
  3. Enable NLA. Network level authentication (NLA) provides an extra level of authentication before a connection is established.
  4. Avoid Exposure. Keep RDP servers behind your firewall. Never allow direct RDP connections that expose machines and servers to the internet, which can put your critical data and internal systems at risk.
  5. Use Strong Passwords and Multifactor Authentication. Brute force tools are getting sophisticated. Strong password policies must be followed – and multi-factor authentication is a must. Even better, consider tools that eliminate passwords and other network-based access controls altogether.

Privileged Access Management (PAM) tools like the CyberArk Privileged Access Security Solution help organizations establish a secure RDP connection from the start. Privileged credentials are centrally stored and managed in a digital vault and access is granted according to user permissions. The web browser session is isolated and encrypted. Privileged user activity is tightly monitored and controlled, and suspicious activity is flagged so SOC teams can respond immediately.

Meanwhile, remote workers can use native workflows that don’t expose their endpoints to the credentials needed to access critical IT systems for work, maintenance or otherwise. Best of all, these strong PAM controls extend beyond RDP to help organizations secure remote connections to any web-facing system, like SSH authentication to Unix/Linux.

Interested in learning more? Register for our April 28 webinar Privileged Access 101: Changing Your Security Game or watch it on demand anytime.

Previous Video
Enforce Least Privilege on Endpoints and Prevent Lateral Movement
Enforce Least Privilege on Endpoints and Prevent Lateral Movement

Endpoint privilege manager implements proactive protection and secure privilege on the endpoints to reduce ...

Next Article
Office Exodus Drives Endpoint (In)Security
Office Exodus Drives Endpoint (In)Security

Around the globe, the rapid, unplanned shift to remote work has tested CISOs’ ability to get employees up a...