The use of the Remote Desktop Protocol (RDP) has skyrocketed since the COVID-19 outbreak. As a result, there’s a high risk of attackers trying to exploit vulnerabilities such as BlueKeep to gain control over remote machines.
Attacks on RDP servers online on the rise
Short for Remote Desktop Protocol, RDP allows users to work on their remote machine whether it’s a desktop from the office or any remote system for that matter. All you need to do is connect to your remote machine using the RDP software and gain access to a remote system.
Since the COVID-19 outbreak, a lot of companies have exposed their Remote Desktop server directly to the Internet, further increasing the chances of a hostile takeover by hackers and cybercriminals.
To understand the risk involved, especially when it comes to exposing RDP servers directly to the Internet, we talked to Gil Azrielant, co-founder and CTO of an Israeli cybersecurity firm Axis Security.
“Attackers look for the lowest hanging fruits. They will scan everything you have public on the internet and they will look for vulnerabilities and easy ways in, and once they have their first foothold of the organization, it’s very easy to laterally move.”
Lateral Movement is a technique that attackers use in order to control remote systems on a network.
Gil also explained to us another way attackers try to cause a denial of service to certain services in RDP.
“Whenever someone connects to the remote machine, it renders the Windows login page, which takes resources and sends it over the internet. Only in certain new machines, there is a feature to block that but still, 95 percent of the machines out there will render a page for you and send it away even before you authenticate it.”
This way, attacks send multiple start session requests to drain all the resources of the machine and prevent users from connecting to it.
“This is a very easy and naive way to cause damage to organizations that have their RDP servers out in the open.”
Companies need to be aware of RDP vulnerabilities
As Gil explained to us, RDP vulnerabilities serve as a purpose for attackers to make the remote machine act unexpectedly or install ransomware on it. One such vulnerability — Bluekeep — allows an attacker to send a well-crafted packet that will eventually let them take control over the remote machine without needing to enter username and password.
“Since the COVID-19 outbreak, many companies decided to put RDP servers out on the internet so people can remotely connect to it.”
Once RDP servers are exposed online, server admins would be able to see hundreds of login attempts every hour, trying to connect to the server, warns Gil.
“So, you’ve bad actors scanning the Internet all the time and looking for RDP machines.”
How to safeguard against RDP flaws
Like most security experts and researchers, Gil warns businesses against an idea of exposing Remote Desktop servers directly to the Internet. And if need be, businesses and companies must ensure they have an added layer of security in place.
“When exposing RDP applications, I’d highly recommend to do it in a centralized and managed way that is not open to the public.”
Organizations globally can make use of certain cloud security solutions to set policies that can be checked outside the network and safeguard themselves against a Distributed denial-of-service (DDoS) attack. Third-party solutions can also keep the RDP server off the radar and ensure proper authentication.
