Endpoint

5/17/2018
02:30 PM
Matt Ahrens
Matt Ahrens
Commentary
50%
50%

The Risks of Remote Desktop Access Are Far from Remote

RDP is used by fraudsters to steal and monetize data more often than you might think. But there are ways to stay safe.

No one wakes up thinking "today's the day I'm going to be hacked." Even though we've all seen big-name companies fall prey to cyberattacks, the majority of business owners don't think one will ever happen to them. They're wrong. Breaches at Target, Home Depot, and Equifax may capture all of the attention, but software commonly used by many small businesses makes them far more attractive targets to hackers.

The software? Remote Desktop. Many businesses use Remote Desktop to facilitate network access for remote employees over the Internet. But by granting such access, these businesses have made it much more likely they'll be targeted and hacked. Over a 10-year career providing incident response and forensics following data breaches, I've seen thousands of companies crippled by the exploitation of remote access points. And I've seen how quickly and effectively fraudsters leverage hijacked computers to steal and monetize data, and how they've used such access to take control of entire networks.

What Is Remote Desktop?
The Remote Desktop Protocol (also known as RDP) is used to allow remote access to a computer. After logging in, you can control that computer remotely in almost the same way you control your own computer. RDP is very easy to use and widely implemented. Remote Desktop even comes built-in to most versions of Microsoft Windows. When used within a private network, it's a very powerful business tool. Unfortunately, it's not secure enough to safely expose to the Internet.

Imagine a small (fictional) CPA firm, Joe's Taxes. Joe's Taxes has three partners and five accountants. What's the easiest way for all eight team members to access a single server with specialized accounting and tax software? You guessed it: RDP.  

With a Remote Desktop setup, Joe can access his tax server and client data from anywhere, as can his partners and employees. This is not only convenient but increases productivity in Joe's office. Joe's employees can now collaborate on projects and remotely access documents that are securely stored and backed up in the office.

What Could Go Wrong?
Criminals, aware of the valuable information in the possession of businesses like Joe's, are also keen to remotely access this data. So keen that they've developed a wide array of tools to continuously look for remote access points on the Internet. Services such as Censys.io and Shodan.io, designed to map assets on the Internet, can also be used to discover potentially vulnerable targets. 

With remote access to a network, not only can criminals access sensitive information and hijack login credentials and identities, they can also use such access to deploy ransomware, such as the "SamSam" gang or Dharma ransomware. Even the access alone is worth something. Criminals routinely buy and sell Remote Desktop credentials in criminal markets such as xDedic. Pricing is driven by where the server is located, what software it's running, and other attributes that signal its value to the criminal marketplace. You can bet that our fictional CPA firm would fetch a decent price. (See, for example, this Kaspersky report).

How Does This Work?
Once a firm is targeted, it's surprisingly easy to overcome the password protections in place. This is largely because there is only one factor to defeat: the password itself. In the absence of a multifactor authentication mechanism such as a text, phone call, or randomly generated token, the hacker is free to guess a user's password. With enough computing power, this is a process that can take only a few hours. Moreover, as a business adds more accounts over time, old unused accounts create an even larger surface to attack. Hackers also have access to billions of compromised credentials from past data breaches. Returning to our example, if even one of Joe's employees reused a password that was already breached, no guessing is required!

In reality, hackers have largely automated this process. Once they have a "hit," such as Joe's Taxes' server, they quickly identify all of the attributes of that server, including the fact that it has tax software installed, prior to putting it up for sale. At this point, any criminal can purchase access to Joe's server, from which they can steal information or impersonate Joe, including making fraudulent filings to the IRS.

How Widespread Is This Risk?
At Coalition, we detect Remote Desktop on the Internet in over 30% of the companies we underwrite for cyber insurance. These access points tend to be concentrated in smaller businesses, as well as those that manage IT services. At the time I wrote this, our underwriting platform had identified over 3 million IP addresses with RDP available on the Internet, 900,000 of which are located in the United States.

Our fictional CPA firm is a great example of the risks of using RDP on the Internet. It is estimated that tax scams defrauded over $21 billion in 2016 alone, much of it facilitated by precisely this attack. However, CPA firms aren't alone. Any company that enables RDP access of the Internet is a target, and the consequences can be severe.

What You Can Do
The first, and most obvious, solution is to remove Remote Desktop from the Internet, even if not entirely. Access can be restricted behind a secure virtual private network or to known users using firewall rules. Alternatively, or in addition, a multifactor authentication mechanism can be implemented to augment traditional password authentication. A number of such solutions are available (some for free) that are compatible with RDP. 

Related Content:

Matt Ahrens leads the Security Team at Coalition, the leading technology-enabled cyber insurance solution, combining comprehensive insurance and free cybersecurity tools to help businesses manage and mitigate cyber-risk. Prior to Coalition, he co-founded The Crypsis Group, a ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
6 Ways Greed Has a Negative Effect on Cybersecurity
Joshua Goldfarb, Co-founder & Chief Product Officer, IDRRA ,  6/11/2018
Weaponizing IPv6 to Bypass IPv4 Security
John Anderson, Principal Security Consultant, Trustwave Spiderlabs,  6/12/2018
'Shift Left' & the Connected Car
Rohit Sethi, COO of Security Compass,  6/12/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-12026
PUBLISHED: 2018-06-17
During the spawning of a malicious Passenger-managed application, SpawningKit in Phusion Passenger 5.3.x before 5.3.2 allows such applications to replace key files or directories in the spawning communication directory with symlinks. This then could result in arbitrary reads and writes, which in tur...
CVE-2018-12027
PUBLISHED: 2018-06-17
An Insecure Permissions vulnerability in SpawningKit in Phusion Passenger 5.3.x before 5.3.2 causes information disclosure in the following situation: given a Passenger-spawned application process that reports that it listens on a certain Unix domain socket, if any of the parent directories of said ...
CVE-2018-12028
PUBLISHED: 2018-06-17
An Incorrect Access Control vulnerability in SpawningKit in Phusion Passenger 5.3.x before 5.3.2 allows a Passenger-managed malicious application, upon spawning a child process, to report an arbitrary different PID back to Passenger's process manager. If the malicious application then generates an e...
CVE-2018-12029
PUBLISHED: 2018-06-17
A race condition in the nginx module in Phusion Passenger 3.x through 5.x before 5.3.2 allows local escalation of privileges when a non-standard passenger_instance_registry_dir with insufficiently strict permissions is configured. Replacing a file with a symlink after the file was created, but befor...
CVE-2018-12071
PUBLISHED: 2018-06-17
A Session Fixation issue exists in CodeIgniter before 3.1.9 because session.use_strict_mode in the Session Library was mishandled.