Microsoft patched a record number of common vulnerabilities and exposures (CVEs) in 2020, putting pressure on overwhelmed security teams to apply fixes and protect a growing number of remote employees. Many of these flaws affected Remote Desktop, a Windows service that proved critical for the newly remote workforce.
This year, Microsoft's monthly Patch Tuesday rollouts accumulated a total of 1,245 bugs fixed, which far exceeds the 840 patched in 2019 and numbers more than 2017 and 2018 combined, points out Satnam Narang, research engineer at Tenable. Most months brought at least 110 patches, with June and September marking the highest monthly count at 129 patches each.
"Just the sheer number of CVEs getting patched, especially from March to about September – we kept seeing 100 CVEs each month," Narang says. "Me and the team, we kept getting blown away by the sheer volume of them."
As security teams learned this year, many vulnerabilities Microsoft found and patched affected Windows Remote Desktop Protocol (RDP) -- Microsoft's protocol for enabling users to access Windows workstations or servers -- Remote Desktop Client, Remote Desktop Services, and Remote Desktop Gateway. While these all warranted priority patching before 2020, the COVID-19 pandemic and subsequent shift to work-from-home made them appealing targets.
"Because we are a remote workforce, anything that's going to impact the tools we need I think is going to be ripe for attack," says Dustin Childs of Trend Micro's Zero Day Initiative. "The two fertile areas for attacks are the tools remote workers use and the infrastructure that supports it."
This year attackers shifted their strategies from targeting applications, as they have in years past, to targeting protocols, Childs explains. These include RDP in addition to DNS, which has been targeted with multiple bugs, TCP/IP, and SMB, which is "also still very popular," he adds.
Protocols are a broad target, and their complexities have been targeted for years, he continues. But as organizations grow more complex and add more systems, attackers are learning they can hit a lot of targets if they go after low-lying protocols. A stronger focus on application security is also pushing attackers to look for underlying targets to get past improved software defenses.
The most common type of attack targeting RDP is brute force; in this, criminals attempt to find the username and password for an RDP connection by trying different combinations until one works. These attacks skyrocketed in early March, totaling 3.3 billion for the first 11 months of 2020, Kaspersky research shows. They numbered 969 million during the same period in 2019.
It's not surprising that Remote Desktop was heavily targeted this year, says Andrew Brandt, principal researcher with Sophos. Organizations with thousands of employees placed critical data on a segment of their networks and limited them to internal access. Now workers need to get to those assets from home.
"There's the twin challenges of protecting our stuff and making it so our employees aren't impeded from being able to work," he explains. It's a difficult balance to strike because the two goals "sometimes work at opposite ends."
A Historically Hot Target
RDP vulnerabilities came under the spotlight in 2019 with the widely reported BlueKeep and DejaBlue flaws. While none of the bugs patched this year merited a name, Narang notes RDP flaws should always capture the attention of security teams. Not only are they invaluable to criminals seeking data and funds, they're the "bread and butter" for ransomware operators.
Attackers who seek to take over a system, whether it's RDP or something else in a business, typically have two goals. They could establish permanency by setting up a backdoor to ensure their access isn't cut off, or they could pivot to take over the domain controller, Exchange server, or SharePoint server to see whether they can work their way around the environment, Childs says. From there, it's a matter of what they want to do, whether it's to deploy ransomware or steal data.
A dangerous trait of RDP exploits is they're typically invisible to employees. Whether security teams see a red flag depends on the type of logging they have and how closely those logs are monitored. With RDP, it also depends on your network intrusion detection/prevention setup. At a time when security analysts are overwhelmed with alerts, these may slip through the cracks.
The severity of a flaw often depends on where it is: Vulnerabilities in Remote Desktop Server, for example, are considered more severe than those in Remote Desktop Client, Childs continues.
"If you can take over the Remote Desktop Server, that's usually going to be something you can do unauthenticated remotely and that gets you a lot of code execution power," he explains. "Those are the ones we saw that could actually be wormable," a trait in RDP flaw BlueKeep.
Flaws in Remote Desktop Client usually require a man-in-the-middle attack, or sending a victim to a malicious Remote Desktop Server. This additional step is often a factor in whether a bug is classified as critical or important, Childs points out. If man-in-the-middle or authentication is required, a critical vulnerability may be considered important. Experts warn teams to consider how their businesses use a service instead of relying on a rating system to prioritize patches.
"Severity is based on not just the complexity of being able to accomplish a specific exploit … but also based on things like how widely distributed is this particular vulnerable application, and what are the mitigating circumstances by which you have to have the app configured so the exploit is functional as opposed to theoretical," Brandt says. In some cases, Sophos' offensive security team found important flaws to be "pretty severe" when given the right information.
Ultimately, the decision of whether a vulnerability is critical is a judgment call, Childs says. Either a security leader can make the call or they have to really trust the person making it.
"In my environment, I know we use RDP extensively, so anything that comes out I'm going to treat it as critical," he continues. "I don't care if it's post-authentication. I don't care if it's man-in-the-middle. I'm going to treat it as critical in our environment because I know how much we rely on RDP."
If a business doesn't rely on RDP, these patches may be secondary, he adds.
More Bugs Found, More Bugs Patched
The spike in security flaws discovered and fixed this year may at first cause alarm among people worried about increasingly vulnerable tools and services. But security experts, both at Microsoft and security companies, attribute the growth to higher participation in bug-bounty programs and a stronger focus on defensive security during a year when remote work became the norm.
"When quarantine kicked off, we did a huge strategy sync around, 'How do we protect our customers?'" says Ron Aquino, head of platform security and mitigations at Microsoft. "One of the things that jumped out at us is there are certain protocols that are very important for work-from-home."
RDP became a major area of focus, he continues. The team made a "huge push" to review RDP, especially code that may have been legacy code built a long time ago, for vulnerabilities. Many of these patches, especially those for RDP, apply to customers who adjust default configuration. Aquino notes those who stick with RDP's default settings and follow best practices are secure.
During this time, Microsoft decided to pivot its bug bounty program and introduce scenarios to help researchers decide where they should focus their efforts, adds Justin Campbell, principal group engineering manager with Microsoft Security. By the end of July, they had updated their bounty with new increased payouts: up to $100,000 USD for remote code execution flaws that didn't require authentication.
"We did that for several categories we thought would be especially impactful, but we try to not specify specific targets because we don't want to give researchers blinders," he says. "We want to have them exploring the spaces where we aren't already looking, if there is such a place."
While Campbell says these incentives were partly responsible for the growth in bug-bounty participation, data shows a surge in security researchers signing up to submit vulnerabilities during the pandemic. More businesses are adopting vulnerability disclosure programs (VDPs), and hackers are showing interest, especially in the industries where they're already active.