The Remote Desktop Protocol (RDP) is one of the most popular communication protocols used for remote control systems. It is used for most current Windows® operating systems, and allows users to remotely access servers or other computers by providing a graphical user interface. Microsoft even uses it as the default method for managing Azure virtual machines running Windows®.
Since RDP is a very popular protocol, once an attacker gains access, he will use it to move to other systems. Therefore, RDP is always very attractive to attackers. They have realized that using RDP remote access tools is significantly more efficient than exploiting vulnerabilities as it only requires obtaining the correct credentials.
According to a recent X-Force report, stealing credentials to access these systems is one of the most profitable businesses on the Dark Web. However, these directly exposed servers are not the only systems that attackers target by using (or abusing) RDP. One of their goals is to merge their malicisous behaviours into regular network traffic.
How does RDP work?
Before we dive into the details of RDP threat and protection, let’s first understand how it works. RDP is a bi-directional communication protocol. It can transmit the screen output of the server to the client and transmit the keyboard and mouse input from the client to the server. This process is asymmetric, since most of the data is from server to client, while there isn’t much data returned by the client. The client and server must go through multiple stages before establishing communication.
After a client connects, it agrees with the server on the usage settings (such as screen resolution, supported features, and license information). Then, they agree on the RDP security type and choose from two support modes:
- Standard mode, based on RC4
- Enhanced mode, where RDP relies on other protocols, such as TLS or CredSSP.
Finally, the client and server must agree on the number of channels required. The channel is a separate data traffic, and each data traffic has its own ID to form a remote desktop protocol. These channels can redirect access to the file system, or enable clipboard sharing between the client and the server.
RDP related vulnerabilities and APT organization
In 2019, researchers discovered a critical vulnerability in RDP, called “BlueKeep.” This vulnerability (CVE-2019-0708) can be used to remotely execute abitrary code without any user interaction or valid credentials. The combination of these factors can lead to worms spreading — malware that can spread itself among vulnerable systems. A similar thing was discovered in the Wannacry ransomware that appeared a few years ago. The distinguishing feature of BlueKeep is that it can connect to older Windows® systems. This forced Microsoft to take the unusual step of creating new patches for Windows® system that it no longer supported.
In August 2019, researchers announced DejaBlue. It is not a vulnerability per se, but a series of vulnerabilities. Similar to BlueKeep, DejaBlue allows attackers to hijack vulnerable systems without any form of authentication. Unlike BlueKeep, DejaBlue’s vulnerabilities are located in newer versions of Windows®. The attacker does not necessarily need to eploit the vulnerability,but rather simply launch an attack by leveraging a misconfiguration. Some common risks in RDP security include weak user login credentials and a failure to record or monitor RDP server login behavior, which allows attackers to lauch brute force or password spray attacks to the systems that are publicly exposed.
The hacking organizations that often use RDP to carry out attacks include: APT41, FIN6, FIN7 etc. who use RDP for lateral movement; FLIPSIDE and others who use RDP to steal information. For example, Ngrok is a legal reverse proxy that can leak victim data by tunneling traffic in RDP. WannaCry ransomware can execute malware in an existing remote desktop session. This kind of “stealing” of the session is usually called “RDP hijacking.”
Although there are security risks, RDP can still provide us with a lot of value. It’s extremly important to protect your remote desktop servers.
- First of all, patch management is the foundation, ensuring that the system is always up-to-date, especially for critical remote access services.
- In most cases, organizations do not need to expose the RDP server to the the public. Organizations can use firewalls, IP restrictions, restrict access through VPNs, or use instant access to limit the RDP exposure. The latter greatly reduces risks and meanwhile ensures that organizations can access the service whenever they need it. It goes without saying, make sure not to use easy-to-guess passwords for RDP-enabled accounts. And, don’t allow remote access to all system users if it is not necessary.
- Implementing a form of automatic account lockout to prevent attackers from guessing passwords through brute force cracking. The organization may also need to enable network-level authentication (NLA) to prevent accidental access to the RDP tunnel.
Monitoring and Logging
No matter how secure the organization’s RDP settings are, there will always be situations where an attacker can prevail. In these instances, the organization will need to rely on logging and monitoring to analyze what is happening.
Important sources of RDP forensic evidence include: commands quser, qwinsta, and qprocess provide information about RDP users, sessions, and processes; Microsoft-Windows-Terminal-Services-RemoteConnectionManager and Windows-TerminalServices-LocalSessionManager notify clients of network connections and the start and end of RDP sessions ; Finally, Microsoft-Windows-Security-Auditing includes events detailing the success or failure of authentication attempts.
Although RDP does have many risks, and attackers are increasingly interested in remote access tools, this doesn’t mean that organizations cannot deploy them in a safe and controlled manner. If the organization fully considers the above measures and sets up sufficient logging and monitoring strategies, they should be able to fully protect their RDP servers.