The growing incidence and sophistication of Remote Desktop Protocol (RDP) attacks are not mint-fresh news-items anymore. But their potential and backstair capabilities could claw in the realm of cryptocurrency mining in a big way if attention and arms are not deployed by enterprises soon. Let’s get up, close and personal on why these new attack routes matter. Not just for helping you avoid ransomware but also for helping your computers stay away from the grabs of crypto-miners and to keep your cryptocurrency safe.
It started with Ransomware – and the troops that followed
Ransomware has been a big and consistent bugbear. A pirate with a notorious swagger that kept knocking menacingly at many enterprise-forts in the last two years, From WannCry to NotPetya to Locky, these attacks arrived like an unexpected swarm of bees and shook up the way Chief Information Officers (CIOs), Chief Information Security Officers (CISOs) and security firms looked at their security arsenals. Of course, the answer was to build a new or a better moat. But these moats and walls were cemented with an eye on rock-climbers that could crawl around huge barriers and heavy-gates.
What this ransomware-battle war rooms missed though were the tiny holes that were accommodated inside existing and new walls. Holes that allowed pigeons to rest. Pigeons that were recruited to bring and send messages across big forts and empires. Yes, RDP.
So what exactly happened?
One of the reasons why latest versions of different ransomware are turning towards RDP is because most security products have built advanced protection against ransomware attacks, explains Sanjay Katkar, Chief Technology Officer (CTO), Quick Heal Technologies Limited. “The enhanced level of anti-ransomware protection makes targeting new customers quite difficult for cybercriminals. Automated RDP allows these threat actors to remotely take control of the victims’ computers and uninstall the security software, before deploying the ransomware attack against the now-vulnerable devices. This is why most ransomware approaches are leveraging RDP to successfully attack even well-protected systems.”
Neeraj Khandelwal, Co-Founder, and CTO, CoinDCX seconds that RDP is helping the bad guys to sneak inside organizations easily, and noiselessly, enough. “RDP is used for remotely connecting to Windows systems. In an RDP attack, criminals look for unsecured RDP services to exploit and access enterprise networks. It’s frighteningly easy to do so because many organizations fail to secure RDP services against improper access.”
In other words, the holes that were left forgotten for the assumption that they are too tiny for anyone, but a rope or a bird, to crawl in – well they are the ones these new-battle Ninjas are coming in from. Their feet are swift, their bodies agile, and their skills too sharp and adaptive for the size of these holes to deter them.
As Farrhad Acidwalla, founder of CYBERNETIV, a Cyber Security and Research organization, dissects, lethal ransomware like ‘Wannacry’ used the Server Message Block (SMB) protocol to infect millions of users across the globe. He adds how the National Security Agency (NSA) had secret exploits such as Eternal Blue which was based on the same protocol and was used in the Wannacry hack. This has now led to several manufacturers to soup up their product and software’s security from the ground-up – including strengthening the SMB protocol.
In Farrhad’s own words:
“Hackers and malicious agents clearly understood the need for an alternative to this aging protocol that had now come into the focus of manufacturers and developers. This led them to target the RDP which provides hackers with remote access to systems and allows them potentially wreak havoc.”
No wonder, even the Federal Bureau of Investigation (FBI) and the US Department of Homeland Security had to press alarm bells on RDP when they pointed at the rise of malicious cyber actors in identifying and exploiting vulnerable RDP sessions over the internet to compromise identities, steal login credentials and ransom data. The Internet Crime Complaint Center (IC3) has also raised a security alert on exposed remote desktop services.
Presence of weak passwords for initiating RDP connections, outdated versions of RDP for easier man-in-the-middle attacks, unrestricted access to the default RDP port (3389) etc. are making it possible for new names like CrySiS, CryptON, and Samsam to abuse open RDPmports and brute-force attacks.
Katkar observes that RDP attacks are most successful if the targeted system has an open port and/or a weak password configuration. At Quick Heal Technologies, we see around 35000+ RDP attempts on an average-daily count among our users which we block and protect our users from. The sheer volume of such attacks is indicative of how critical the current threat landscape is, especially with cybercriminals using such sophisticated attack vectors.”
As per what a recent Trend Micro report revealed, more than 35 million brute-force login attempts on home computers and personal devices were detected in 2018. It is not surprising that attempts through RDP account for 85 % of the total number of attacks recorded now.
Ninjas on the prowl – Expect Mining Attacks Next
If you thought this new cloak-and-dagger affair of RDP is more cloak and less dagger, try to slide your head inside the hood for a moment. Experts will point out several vulnerabilities, loose-hanging wires and low-hanging fruits that are paving an easy road for the feet who want to exploit RDP.
What’s more alarming and un-attended as of now is the prospect of RDP for pursuits of furtive mining. We know that crypto-mining has been growing both in numbers and sly ways all across the globe; silently, and surreptitiously, hogging computer resources of unaware users and enterprises. Katkar avers that the possibility of RDP as a strong way of mining is particularly rife. “We have also seen an increase in the use of RDP attacks by crypto-mining malware. This is helping crypto-mining malware to successfully target more users.”
Acidwalla rips open the ‘how’. “Technically, crypto-jacking is utilizing another user’s system for mining bitcoins- All the hacker needs to do is execute a mining script on the victim’s system and this can be achieved only if the attacker has remote access to victim’s system and for such a situation, they use RDP-based exploits.”
Typically keyloggers, malware, service disruption software may be installed on target machines, warns Khandelwal. “But hackers may also install cryptocurrency mining software on the target machines for leveraging their computing resources. When a large organization with thousands of windows machines are vulnerable, hackers may get sufficient computing resources to even hijack the whole blockchain of a particular crypto-asset and steal a hefty amount of funds.” The worse part, that he underlines, is that these activities may go totally unnoticed for a long time.
Wake up before the tap is drained
Reactive security is a thing of the yore. In the current times of uncertainty, unpredictability and intensity that we are living in, jeopardizing an enterprise’s computing infrastructure to the potent threat that still lurks somewhere in the shadows somewhere is not something that businesses can afford to do. Not when computing is not just expensive, mission-critical and maintenance-heavy but also because it is the very backbone of any digitally-pumped business.
Get forewarned and forearmed before mining-dents become the next pages in the chronicles of threats of the new century.
Preventing RDP attacks should be one of the top security priorities, in the advice-kit of Khandelwal. “Apart from basic Internet Protocol (IP) checks, proper authorization, and multi-factor authentication can mitigate these risks.”
Katkar does not mince words or barbs to lay out a good red line of caution. “In a rapidly-evolving threat landscape, RDP attacks are extremely dangerous and are being deployed by multiple ransomware families.”
Watch for those open ports, configurations, and access-permissions that are making RDP let in someone you do not want inside your forts. Keep those patches, account lock-outs and firewalls up to speed too.
It is not easy to match someone on cat’s feet. But don’t be a cat’s paw too. Watch those holes.
What are your thoughts on the risk of remote desktop attacks? Let us know in the comment section below!