Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

5/17/2018
02:30 PM
Matt Ahrens
Matt Ahrens
Commentary
50%
50%

The Risks of Remote Desktop Access Are Far from Remote

RDP is used by fraudsters to steal and monetize data more often than you might think. But there are ways to stay safe.

No one wakes up thinking "today's the day I'm going to be hacked." Even though we've all seen big-name companies fall prey to cyberattacks, the majority of business owners don't think one will ever happen to them. They're wrong. Breaches at Target, Home Depot, and Equifax may capture all of the attention, but software commonly used by many small businesses makes them far more attractive targets to hackers.

The software? Remote Desktop. Many businesses use Remote Desktop to facilitate network access for remote employees over the Internet. But by granting such access, these businesses have made it much more likely they'll be targeted and hacked. Over a 10-year career providing incident response and forensics following data breaches, I've seen thousands of companies crippled by the exploitation of remote access points. And I've seen how quickly and effectively fraudsters leverage hijacked computers to steal and monetize data, and how they've used such access to take control of entire networks.

What Is Remote Desktop?
The Remote Desktop Protocol (also known as RDP) is used to allow remote access to a computer. After logging in, you can control that computer remotely in almost the same way you control your own computer. RDP is very easy to use and widely implemented. Remote Desktop even comes built-in to most versions of Microsoft Windows. When used within a private network, it's a very powerful business tool. Unfortunately, it's not secure enough to safely expose to the Internet.

Imagine a small (fictional) CPA firm, Joe's Taxes. Joe's Taxes has three partners and five accountants. What's the easiest way for all eight team members to access a single server with specialized accounting and tax software? You guessed it: RDP.  

With a Remote Desktop setup, Joe can access his tax server and client data from anywhere, as can his partners and employees. This is not only convenient but increases productivity in Joe's office. Joe's employees can now collaborate on projects and remotely access documents that are securely stored and backed up in the office.

What Could Go Wrong?
Criminals, aware of the valuable information in the possession of businesses like Joe's, are also keen to remotely access this data. So keen that they've developed a wide array of tools to continuously look for remote access points on the Internet. Services such as Censys.io and Shodan.io, designed to map assets on the Internet, can also be used to discover potentially vulnerable targets. 

With remote access to a network, not only can criminals access sensitive information and hijack login credentials and identities, they can also use such access to deploy ransomware, such as the "SamSam" gang or Dharma ransomware. Even the access alone is worth something. Criminals routinely buy and sell Remote Desktop credentials in criminal markets such as xDedic. Pricing is driven by where the server is located, what software it's running, and other attributes that signal its value to the criminal marketplace. You can bet that our fictional CPA firm would fetch a decent price. (See, for example, this Kaspersky report).

How Does This Work?
Once a firm is targeted, it's surprisingly easy to overcome the password protections in place. This is largely because there is only one factor to defeat: the password itself. In the absence of a multifactor authentication mechanism such as a text, phone call, or randomly generated token, the hacker is free to guess a user's password. With enough computing power, this is a process that can take only a few hours. Moreover, as a business adds more accounts over time, old unused accounts create an even larger surface to attack. Hackers also have access to billions of compromised credentials from past data breaches. Returning to our example, if even one of Joe's employees reused a password that was already breached, no guessing is required!

In reality, hackers have largely automated this process. Once they have a "hit," such as Joe's Taxes' server, they quickly identify all of the attributes of that server, including the fact that it has tax software installed, prior to putting it up for sale. At this point, any criminal can purchase access to Joe's server, from which they can steal information or impersonate Joe, including making fraudulent filings to the IRS.

How Widespread Is This Risk?
At Coalition, we detect Remote Desktop on the Internet in over 30% of the companies we underwrite for cyber insurance. These access points tend to be concentrated in smaller businesses, as well as those that manage IT services. At the time I wrote this, our underwriting platform had identified over 3 million IP addresses with RDP available on the Internet, 900,000 of which are located in the United States.

Our fictional CPA firm is a great example of the risks of using RDP on the Internet. It is estimated that tax scams defrauded over $21 billion in 2016 alone, much of it facilitated by precisely this attack. However, CPA firms aren't alone. Any company that enables RDP access of the Internet is a target, and the consequences can be severe.

What You Can Do
The first, and most obvious, solution is to remove Remote Desktop from the Internet, even if not entirely. Access can be restricted behind a secure virtual private network or to known users using firewall rules. Alternatively, or in addition, a multifactor authentication mechanism can be implemented to augment traditional password authentication. A number of such solutions are available (some for free) that are compatible with RDP. 

Related Content:

Matt Ahrens leads the Security Team at Coalition, the leading technology-enabled cyber insurance solution, combining comprehensive insurance and free cybersecurity tools to help businesses manage and mitigate cyber-risk. Prior to Coalition, he co-founded The Crypsis Group, a ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Steve0nz
50%
50%
Steve0nz,
User Rank: Apprentice
8/10/2020 | 10:52:15 PM
Re: Isnt Bandwith a factor also?
Thanks for the article - its good to see the advice you have given. We created our IT support packages based of some of the advice you have given. thanks. https://linktechaustralia.com.au/managed/remote-it-support/
Kanaiadhikary
50%
50%
Kanaiadhikary,
User Rank: Apprentice
12/31/2019 | 6:58:55 AM
Remote Desktop
Remote desktop is a rapidly growing technology today as it helps businesses to reduce costs, provide faster resolution to technical problems, convenience of providing support from anywhere etc. For better security, one can use on premise remote support solutions such as R-HUB remote support servers. It works from behind the firewall, hence giving better security. access computers.
AviatorBobo
50%
50%
AviatorBobo,
User Rank: Apprentice
6/22/2018 | 7:51:19 AM
Isnt Bandwith a factor also?
Dear Matt,

 

Thank you for a great article, with the coolest ever heading! :) My name is Mehmet, and I work at a Danish company called Secomea... We work with secure remote access for factories, and the likes... When you say that "With enough computing power, this is a process that can take only a few hours."? :) Is this really enough? I would guess that there are only so many re-tryes, before that connection is banned...? And what about the bandwith of the company that is being attacked in this way...? Isnt that a limiting factor also? :)
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
WannaCry Has IoT in Its Crosshairs
Ed Koehler, Distinguished Principal Security Engineer, Office of CTO, at Extreme Network,  9/25/2020
Safeguarding Schools Against RDP-Based Ransomware
James Lui, Ericom Group CTO, Americas,  9/28/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-26120
PUBLISHED: 2020-09-27
XSS exists in the MobileFrontend extension for MediaWiki before 1.34.4 because section.line is mishandled during regex section line replacement from PageGateway. Using crafted HTML, an attacker can elicit an XSS attack via jQuery's parseHTML method, which can cause image callbacks to fire even witho...
CVE-2020-26121
PUBLISHED: 2020-09-27
An issue was discovered in the FileImporter extension for MediaWiki before 1.34.4. An attacker can import a file even when the target page is protected against "page creation" and the attacker should not be able to create it. This occurs because of a mishandled distinction between an uploa...
CVE-2020-25812
PUBLISHED: 2020-09-27
An issue was discovered in MediaWiki 1.34.x before 1.34.4. On Special:Contributions, the NS filter uses unescaped messages as keys in the option key for an HTMLForm specifier. This is vulnerable to a mild XSS if one of those messages is changed to include raw HTML.
CVE-2020-25813
PUBLISHED: 2020-09-27
In MediaWiki before 1.31.10 and 1.32.x through 1.34.x before 1.34.4, Special:UserRights exposes the existence of hidden users.
CVE-2020-25814
PUBLISHED: 2020-09-27
In MediaWiki before 1.31.10 and 1.32.x through 1.34.x before 1.34.4, XSS related to jQuery can occur. The attacker creates a message with [javascript:payload xss] and turns it into a jQuery object with mw.message().parse(). The expected result is that the jQuery object does not contain an <a> ...