Shulou(Shulou.com)05/31 Report--

What this article shares with you is about how to protect RDP from blackmail software attacks. The editor thinks it is very practical, so I share it with you to learn. I hope you can get something after reading this article.

0x00 written background

During the months of the epidemic, in order to maintain social distance, many enterprises rely on RDP to keep their business running continuously.

RDP (Remote Desktop Protocol) is a network communication protocol developed by Microsoft. It provides a graphical interface for most Windows operating systems and enables users to connect remotely to a server or another computer. RDP transfers the display of the remote server to the client and the input of peripherals (such as keyboard and mouse) from the client to the remote server, effectively allowing users to control the remote computer as if they were manipulating it themselves.

However, many enterprises do not have enough time and resources to securely configure RDP and hastily switch to telecommuting, which may be providing attack opportunities for blackmailing software groups.

According to a report by McAfee, the number of RDP ports exposed to the Internet surged from 3 million in January 2020 to 4.5 million in March this year.

Next, I would like to talk about how to protect RDP from blackmail software attacks from three aspects, hoping to achieve the role of throwing bricks and attracting jade.

How 0x01 attackers deploy malware using RDP

Using RDP in private networks is generally considered to be a secure and reliable tool. However, serious problems can occur when the RDP port is open to Internet because it allows anyone to try to connect to a remote server. If the connection is successful, the attacker will gain access to the server and can do anything within the privileges of the blacklisted account.

Using RDP to deploy malware is not a new threat, but exacerbates this security risk as the epidemic promotes the rapid development of telecommuting.

According to a report by Kaspersky, there were about 200000 violent RDP attacks a day in the United States in early March 2020, and that number surged to nearly 1.3 million by mid-April. Today, RDP is considered to be the largest single attack vector for ransomware.

RDP can be used in many ways, mainly in the following four ways:

Scan for exposed RDP ports: attackers use free, easy-to-use port scanning tools, such as Shodan, to scan the entire Internet for exposed RDP ports.

Try to log in: attackers use violence to crack usernames and passwords, buy broilers in the underground market, or log in through social engineering.

Breach system security: once the attackers have finished lifting their rights, they will focus on making the network as insecure as possible. Such as disabling antivirus software, deleting backups and changing configuration settings that are usually locked, modifying logs, and so on.

Post-threat use: after contact with system security, you can deploy blackmail software, deploy keyloggers, use broilers to distribute spam, steal sensitive data, or install back doors for future attacks.

How to guard against RDP-based attacks in 0x02

In July 2020, Emisoft, we proposed a new security strategy to help protect users from RDP attacks, namely Cloud Monitoring RDP.

Through the security system corresponding to security, real-time monitoring of the RDP service status of home or business users, administrators can clearly see whether RDP is enabled on a specific device. If multiple failed login attempts are detected, the Emsisoft Cloud console triggers an alert to the administrator, who can decide whether to disable RDP on the affected device.

It is believed that this simple and effective security strategy will soon be implemented on most domestic security software.

Eight common practices for 0x03 to ensure the security of RDP

First of all, RDP should always be disabled unless necessary.

For enterprises that particularly need to use RDP, here are several ways to prevent RDP from being violently attacked at work.

1. Use VPN

As mentioned earlier, serious security risks arise when RDP is open to Internet. Instead, organizations should use VPN to allow remote users to securely access the corporate network without exposing their systems to the entire Internet.

two。 Set a strong password

Most RDP-based attacks rely on brute force cracking. Therefore, enterprises must enforce strong passwords on all RDP client and server terminals, which are long, unique, and random.

3. Use multiple certifications

Even the most powerful passwords can be compromised. At this point, MFA (Multi-Factor Authentication) provides another layer of protection. When MFA is enabled, users log in to RDP and are required to enter a user name and password, and then a dynamic CAPTCHA from their MFA device, which can be hardware-based or software-based.

4. Use firewalls to restrict access

Firewalls can be used to restrict RDP access to a specific range of IP addresses or IP addresses.

5. Use RD Gateway

Windows server versions later than 2008 can use the RD gateway server, which uses port 443 to transfer data through secure Sockets layer (SSL) tunnels.

6. Seal IP

Multiple failed login attempts in a short period of time usually indicate that a violent attack is in progress. Windows account policies can be used to define and limit the number of times users attempt to log in to RDP.

7. Reasonable allocation of remote access rights

Although all administrators can use RDP by default, many users can do their work without remote access. Enterprises should always follow the principle of "least privilege" and assign RDP access to those who really need it.

8. Change the RDP listening port

Attackers typically identify potential targets by scanning Internet to identify computers listening to the default RDP port (TCP 3389). Although changing the listening port through the Windows registry can help enterprises "hide" fragile connections, this method is only an evasive strategy, not protective, and should be regarded as a supplementary technology.

The above is how to protect RDP from blackmail software attacks. The editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.