Remote Desktop Protocol Is a Big Target for Attackers, Study Finds
Remote Desktop Protocol (RDP) is an easy-to-find and popular target for remote attackers, according to a recent study conducted by Sophos.
Researchers at the Oxford, U.K.-based IT security solutions company had set up 10 "honeypots" running RDP on Amazon Web Services EC2 infrastructure in different countries. They then observed the login attempts by outside parties over a 30-day period, from April 18 to May 19. RDP is a protocol used for remote connections with servers, and is used in Microsoft's Remote Desktop Services solution.
All told, there were 4.3 million login attempts across the 10 servers, which were running the Windows Server 2019 operating system in its default configuration. All 10 of the honeypots were attacked on Day 1 after lighting up the servers, and it took just one minute and 24 seconds for the first server to get probed.
The attackers conducted brute-force attacks -- that is, they were trying common user names and passwords to gain access to the servers. The top user name selected was "administrator," as well as various foreign-language equivalents. They also tried "ssm-user," which is a default name on some Amazon machine images, among other names.
Exactly how the machines running RDP got detected wasn't clear. One theory -- that the attackers had used the Shodan search tool -- wasn't proved. The researchers speculated that the IP addresses used for the service, being recycled, could have been on targeted lists, according to a discussion in a video accompanying Sophos' announcement. It was also noted in the video that it's possible to scan the Internet in 30 minutes to look for RDP use.
Actions To Take
Based on the study's findings, the Sophos researchers concluded that servers using RDP need to be blocked from Internet access or shielded:
Where possible, RDP should be disabled. Where it's required, it should be shielded from exploits and credential harvesting by controlling access to it with a Virtual Private Network (VPN).
Another option is to use Microsoft's Remote Desktop Gateway with RDP and enable multifactor authentication to verify user identities, the researchers indicated.
The following hardening measures also were recommended for organizations opting to continue to use RDP:
- Don't allow domain admins to log in using RDP
- Permit RDP only for people who need it
- Secure "idle" RDP accounts
- Cap the number of password retries for users
- Conduct user-created password strength tests
The researchers had secured the servers with strong passwords to thwart the attackers. They noted that the attackers typically varied their brute-force access attempts. Some stopped at just three login tries, perhaps to avoid lockouts after multiple tries.
In their conclusion, the researchers suggested that Microsoft could improve matters by making two-factor authentication mandatory with RDP. Amazon could help by changing the default configurations of AWS images. But, until such a time as those things should happen, IT pros remain responsible to take measures to secure RDP implementations.
One context on the mind of the researchers was the so-called "BlueKeep" vulnerability in RDS (CVE-2019-0708), for which Microsoft issued Windows patches back in May. It's a vulnerability that could lead to spreadable or "wormable" exploits across networks, even eliciting cautions from the U.S. National Security Agency and the Cybersecurity and Infrastructure Security Agency.
"But securing RDP goes far beyond patching systems against CVE-2019-0708," the Sophos researchers contended.
As of July 2, security ratings company BitSight had found that there was a 17 percent decrease in systems vulnerable to BlueKeep, indicating some progress in the patching of systems. However, "approximately 805,665 systems remain online that are vulnerable to BlueKeep," BitSight had indicated in its July 17 blog post.
Currently, there exists a BlueKeep "working exploit" developed by the U.S. Department of Homeland Security, as well as one developed by the "private sector," BitSight indicated. BitSight recommended applying Microsoft's patches and removing the exposure of systems to Internet access.
Security researcher Kevin Beaumont indicated in a July 17 Twitter post that there was still "no public remote code execution exploit for BlueKeep, and no exploitation in the wild" that's yet been detected. Based on BitSight's numbers on the rate of patching, Beaumont predicted it would take more than two years for the BlueKeep fixes to be in place.
Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.