Thousands of business across the country and millions of shelter-in-place employees are taking advantage of Microsoft’s Remote Desktop Protocol (RDP) to connect to remote computers, access data on in-house networked devices, and collaborate directly on a remote desktop computer.

While remote connections offer a convenient way to work together and access critical data on corporate computers from any location, RDP has vulnerabilities that make it a prime target for hackers. Cybercriminals often act as a man-in-the-middle to steal data, user credentials, or as a primary attack vector for ransomware distribution.

RDP for Business Continuity

RDP allows for Microsoft's Remote Desktop Connection (RDC) to operate and is also available for Apple computers running macOS and Linux systems. Business users can also use RDP on mobile operating systems such as Android and iOS.

For organizations that utilize RDP on both desktop and mobile devices, these operations are critical for business continuity.

In the first quarter of 2019 alone, 63.5% of all ransomware attacks were performed using RDP vulnerabilities, according to a report by McAfee.

Source: McAfee

RDP Vulnerabilities

Last year, security research found an alarming 25 vulnerabilities in popular RDP clients used by most business users. They include:

• Microsoft’s built-in RDP client whose executable file is mstsc.exe.
• FreeRDP, the most popular open-source RDP client on Github.
• Rdesktop that is another open-source RDP client and which is default RDP client in Kali distributions of Linux.

Not all IT teams are aware of the reverse RDP vulnerabilities that affect the remote machine rather than the host to which a user is connecting.

Buffer Overflow

Check Point researchers published a report, that details how malware on the host system uses a buffer overflow method to force remote code execution on the client machine. These flaws in the two open-source RDP clients were patched, but hackers actively seek to exploit RDP weak points in open-source software.

Rest assured that Microsoft’s RDP programming code is well written and stronger than the code powering the current open-source RDP clients, but there are still issues that can negatively affect corporate and individual RDP users.

BlueKeep Code Bug

In 2019, Microsoft identified critical vulnerabilities in their RDP software, which enabled an attacker to spread malware across connected machines with little to no user intervention. The news of these vulnerabilities (already patched by Microsoft) is part of a bigger story that involves another RDP code bug known as CVE-2019-0708 or BlueKeep.

BlueKeep posed a grave risk for any RDP user as it enabled an attacker to connect to an RDP-enabled system and run arbitrary code on the target computer without authentication. BlueKeep is self-spreading and does not require user action to infect other systems. In response, Microsoft distributed RDP patches for all versions of their Windows OS, including versions that are no longer supported.

Clipboard Vulnerability

Another vulnerability in the Microsoft’s RDP client was uncovered recently. It originates from a method for a host and a client machine connecting via RDP to share their clipboards i.e. data computers are storing in memory when copied for later use. Thus, if a user performs a ‘Copy & Paste’ action, which is a very common action in a document-editing scenario, an infected RDP server can save arbitrary files to arbitrary file locations on the client machine.

This vulnerability enables a malicious actor to place malicious executable in any file location that is not explicitly restricted by the client’s machine administrator. These files can also be executed on startup and thus run a code that gives an attacker whatever control the malicious code is intended to pass over to the hacker.

The clipboard vulnerability requires some user action as the malicious code can be stored on a computing device only when a user copies and pastes something from the clipboard. Nonetheless, it is a serious security risk since a bad actor can push code onto the clipboard without the user's permission or awareness.

Vulnerability Management for RDP

Any of these RDP vulnerabilities can affect businesses that do not pay enough attention to the security of the connected IT systems. The outcome from an RDP attack on business-critical systems can vary from stolen login credentials through leaks of sensitive data to spreading ransomware on each and every machine within a corporate network.

But businesses can take protective measures to mitigate the risks associated with RDP connections, including protection from unknown vulnerabilities.

How to Protect Against RDP Risks

Any organization using RDP connectivity should secure their sessions, especially any connection utilizing Internet servers and services running behind them, even if the RDP server and RDP clients are installed in-house.

Organizations should start by implementing two measures that are fundamental to overall RDP security:

• Enable Network Level Authentication (NLA) on all business systems running Windows Vista, Windows 7 and Windows Server 2008. Businesses should also use the local machine’s lock screen and not rely on the remote machine’s lock feature in Windows 10 and Windows Server 2019. In short, businesses must allow connections only from computers running Remote Desktop with Network Level Authentication.
• Remote Desktop runs on port 3389, which in turn means organizations should secure this port and not leave it open. They can either block all inbound traffic through the port from a firewall (including built-in Windows firewall) or create a firewall rule that allows only RDP connections from a list of fixed individual IP addresses or networks.

These are important yet basic proactive security measures needed to protect RDP connections regardless of industry.

Malicious Activity Doesn’t Discriminate by Industry

Statistics shows that RDP suspicious activity detections are distributed practically equally across all industry verticals.

Source: TechRepublic/Vectra AI

A comprehensive cyber security policy should adopt a number of measures that will improve an  organization’s overall IT security.

Measures to mitigate RDP security risks include:

• Enforcing strong password security policies that deal with password lengths as well as locking out a machine after a pre-set number of unsuccessful login attempts.
• Set user rights for RDP connections to specify which user accounts can connect through RDP.
• Remove administrators group on machines that run RDP in order to avoid escalation of user privileges. Limit RDP access only to accounts that need such connectivity including administrator accounts.
• Consider using a reliable virtual private network (VPN) for corporate RDP connections to take advantage of VPN data encryption and block connection attempts from unauthorized IP addresses.
• Adopt multi-factor authentication (MFA) or two-factor identification (2FA) if possible.
• Enable system and event logging (logs are usually activated by default) and check the respective logs on a regular basis to identify eventual suspicious activities and/or connections.
• Disable bi-directional clipboard sharing over RDP if using Microsoft RDP client (mstc.exe) to avoid possible injection of malicious code.
• Patch systems for both RDP vulnerabilities and any other software bugs and updating apps continuously.

Conclusion

Microsoft estimates that more than one million devices running older versions of their Windows OS are still vulnerable to RDP attacks even though the company released patches preventing the BlueKeep exploit from infecting Windows PCs. When factoring businesses running open-source RDP clients into the equation, there are an unknown number of business computers in the range of tens of millions that are potential victims of an automated or targeted cyberattack.

Organizations should be on high alert for new hacks that emerge on a daily basis and old exploits that evolve over time.

Datashield works with our clients to not only secure their networks but monitor them for breaches and remediate issues when they arise. With a resilient cybersecurity strategy and our team of expert analysts, our clients feel protected when it comes to implementing remote work procedures.

Additionally, we are able to protect our clients with our threat hunting services, which utilize the latest threat intelligence feeds to monitor for known vulnerabilities and exploits.

Looking at implementing a remote work or business continuity plan and need help with the security details?