Endpoint

5/17/2018
02:30 PM
Matt Ahrens
Matt Ahrens
Commentary
50%
50%

The Risks of Remote Desktop Access Are Far from Remote

RDP is used by fraudsters to steal and monetize data more often than you might think. But there are ways to stay safe.

No one wakes up thinking "today's the day I'm going to be hacked." Even though we've all seen big-name companies fall prey to cyberattacks, the majority of business owners don't think one will ever happen to them. They're wrong. Breaches at Target, Home Depot, and Equifax may capture all of the attention, but software commonly used by many small businesses makes them far more attractive targets to hackers.

The software? Remote Desktop. Many businesses use Remote Desktop to facilitate network access for remote employees over the Internet. But by granting such access, these businesses have made it much more likely they'll be targeted and hacked. Over a 10-year career providing incident response and forensics following data breaches, I've seen thousands of companies crippled by the exploitation of remote access points. And I've seen how quickly and effectively fraudsters leverage hijacked computers to steal and monetize data, and how they've used such access to take control of entire networks.

What Is Remote Desktop?
The Remote Desktop Protocol (also known as RDP) is used to allow remote access to a computer. After logging in, you can control that computer remotely in almost the same way you control your own computer. RDP is very easy to use and widely implemented. Remote Desktop even comes built-in to most versions of Microsoft Windows. When used within a private network, it's a very powerful business tool. Unfortunately, it's not secure enough to safely expose to the Internet.

Imagine a small (fictional) CPA firm, Joe's Taxes. Joe's Taxes has three partners and five accountants. What's the easiest way for all eight team members to access a single server with specialized accounting and tax software? You guessed it: RDP.  

With a Remote Desktop setup, Joe can access his tax server and client data from anywhere, as can his partners and employees. This is not only convenient but increases productivity in Joe's office. Joe's employees can now collaborate on projects and remotely access documents that are securely stored and backed up in the office.

What Could Go Wrong?
Criminals, aware of the valuable information in the possession of businesses like Joe's, are also keen to remotely access this data. So keen that they've developed a wide array of tools to continuously look for remote access points on the Internet. Services such as Censys.io and Shodan.io, designed to map assets on the Internet, can also be used to discover potentially vulnerable targets. 

With remote access to a network, not only can criminals access sensitive information and hijack login credentials and identities, they can also use such access to deploy ransomware, such as the "SamSam" gang or Dharma ransomware. Even the access alone is worth something. Criminals routinely buy and sell Remote Desktop credentials in criminal markets such as xDedic. Pricing is driven by where the server is located, what software it's running, and other attributes that signal its value to the criminal marketplace. You can bet that our fictional CPA firm would fetch a decent price. (See, for example, this Kaspersky report).

How Does This Work?
Once a firm is targeted, it's surprisingly easy to overcome the password protections in place. This is largely because there is only one factor to defeat: the password itself. In the absence of a multifactor authentication mechanism such as a text, phone call, or randomly generated token, the hacker is free to guess a user's password. With enough computing power, this is a process that can take only a few hours. Moreover, as a business adds more accounts over time, old unused accounts create an even larger surface to attack. Hackers also have access to billions of compromised credentials from past data breaches. Returning to our example, if even one of Joe's employees reused a password that was already breached, no guessing is required!

In reality, hackers have largely automated this process. Once they have a "hit," such as Joe's Taxes' server, they quickly identify all of the attributes of that server, including the fact that it has tax software installed, prior to putting it up for sale. At this point, any criminal can purchase access to Joe's server, from which they can steal information or impersonate Joe, including making fraudulent filings to the IRS.

How Widespread Is This Risk?
At Coalition, we detect Remote Desktop on the Internet in over 30% of the companies we underwrite for cyber insurance. These access points tend to be concentrated in smaller businesses, as well as those that manage IT services. At the time I wrote this, our underwriting platform had identified over 3 million IP addresses with RDP available on the Internet, 900,000 of which are located in the United States.

Our fictional CPA firm is a great example of the risks of using RDP on the Internet. It is estimated that tax scams defrauded over $21 billion in 2016 alone, much of it facilitated by precisely this attack. However, CPA firms aren't alone. Any company that enables RDP access of the Internet is a target, and the consequences can be severe.

What You Can Do
The first, and most obvious, solution is to remove Remote Desktop from the Internet, even if not entirely. Access can be restricted behind a secure virtual private network or to known users using firewall rules. Alternatively, or in addition, a multifactor authentication mechanism can be implemented to augment traditional password authentication. A number of such solutions are available (some for free) that are compatible with RDP. 

Related Content:

Matt Ahrens leads the Security Team at Coalition, the leading technology-enabled cyber insurance solution, combining comprehensive insurance and free cybersecurity tools to help businesses manage and mitigate cyber-risk. Prior to Coalition, he co-founded The Crypsis Group, a ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
AviatorBobo
50%
50%
AviatorBobo,
User Rank: Apprentice
6/22/2018 | 7:51:19 AM
Isnt Bandwith a factor also?
Dear Matt,

 

Thank you for a great article, with the coolest ever heading! :) My name is Mehmet, and I work at a Danish company called Secomea... We work with secure remote access for factories, and the likes... When you say that "With enough computing power, this is a process that can take only a few hours."? :) Is this really enough? I would guess that there are only so many re-tryes, before that connection is banned...? And what about the bandwith of the company that is being attacked in this way...? Isnt that a limiting factor also? :)
Higher Education: 15 Books to Help Cybersecurity Pros Be Better
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Worst Password Blunders of 2018 Hit Organizations East and West
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
2019 Attacker Playbook
Ericka Chickowski, Contributing Writer, Dark Reading,  12/14/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security 2018
This Dark Reading Tech Digest explores the biggest news stories of 2018 that shaped the cybersecurity landscape.
Flash Poll
[Sponsored Content] The State of Encryption and How to Improve It
[Sponsored Content] The State of Encryption and How to Improve It
Encryption and access controls are considered to be the ultimate safeguards to ensure the security and confidentiality of data, which is why they're mandated in so many compliance and regulatory standards. While the cybersecurity market boasts a wide variety of encryption technologies, many data breaches reveal that sensitive and personal data has often been left unencrypted and, therefore, vulnerable.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-19790
PUBLISHED: 2018-12-18
An open redirect was discovered in Symfony 2.7.x before 2.7.50, 2.8.x before 2.8.49, 3.x before 3.4.20, 4.0.x before 4.0.15, 4.1.x before 4.1.9 and 4.2.x before 4.2.1. By using backslashes in the `_failure_path` input field of login forms, an attacker can work around the redirection target restricti...
CVE-2018-19829
PUBLISHED: 2018-12-18
Artica Integria IMS 5.0.83 has CSRF in godmode/usuarios/lista_usuarios, resulting in the ability to delete an arbitrary user when the ID number is known.
CVE-2018-16884
PUBLISHED: 2018-12-18
A flaw was found in the Linux kernel in the NFS41+ subsystem. NFS41+ shares mounted in different network namespaces at the same time can make bc_svc_process() use wrong back-channel id and cause a use-after-free. Thus a malicious container user can cause a host kernel memory corruption and a system ...
CVE-2018-17777
PUBLISHED: 2018-12-18
An issue was discovered on D-Link DVA-5592 A1_WI_20180823 devices. If the PIN of the page "/ui/cbpc/login" is the default Parental Control PIN (0000), it is possible to bypass the login form by editing the path of the cookie "sid" generated by the page. The attacker will have acc...
CVE-2018-18921
PUBLISHED: 2018-12-18
PHP Server Monitor before 3.3.2 has CSRF, as demonstrated by a Delete action.