Attack Surface Lesson #2: Remote Desktop Protocol

One of the biggest trends we have observed this year is an increase in Remote Desktop Protocol (RDP) exposures across enterprises. The large uptick in RDP exposures this year is on account of the rapid shift toward remote work that many organizations were not anticipating. This has resulted in many corporate devices (laptops and even desktops) getting hit by remote desktop protocol breaches. RDP allows a user to log into a remote workstation from another machine. While convenient and useful, this protocol is not intended to be on the public internet and is a frequent attack target. RDP servers are a common target for attackers because they allow access to a device via a graphical user interface from a remote location. Some of the most notorious ransomware attacks like Wannacry and SamSam have targeted exposed RDP servers. It is best practice to never have RDP accessible over the public Internet.

RDP History

Developed in 1996, Microsoft developed RDP as a proprietary protocol to provide a client remote access. Introduced as part of Windows NT 4.0 Terminal Services Edition, Microsoft pushed a broader rollout in 2001 as part of most versions of Windows XP. Widely used for both remote administration and technical support, RDP improved customer support but also introduced some significant security flaws. For example, a brute-force attack on an exposed RDP server from LabCorp resulted in 7,000 systems and 1,900 servers infected.1 

Specifically, code-level vulnerabilities allowed remote access without a password—all have been patched—but recur every few years. Reliance on user credentials, rather than specialized authentication, makes RDP vulnerable to password guessing and reuse. The encryption method used by default is compromised, although additional services can be installed to strengthen encryption. 

For this reason, RDP is a top threat vector for ransomware attacks. A workstation with RDP exposed on the public Internet is the equivalent of leaving a laptop open to its login screen sitting on the street,where anyone can try a  username and password. Most organizations think that they’re blocking RDP across their networks and devices, but we regularly find RDP instances for  organizations on the public Internet, including a majority of the Fortune 500.  The most common attack against RDP starts out with a brute force password-guessing attempt. If the  password isn’t complex enough or if there aren’t lock-out attempts, then attackers can compromise a device.  Once this happens, ransomware is typically installed, which can spread throughout the organization, causing  significant business interruption incidents. Data is encrypted or destroyed, leaving organizations with a  crippled network caused by an unknown exposure that occurred in IP space that they were not monitoring. 

Worse, RDP exposures are especially difficult to track because they often occur outside of places regularly monitored by the organization’s IT and security staff. Without the complete, current, and accurate indexing of the entire Internet provided by Expanse, organizations don’t have a way of tracking these findings themselves. By indexing the global Internet multiple times per day, Expanse helps customers detect exposures like RDP before they are targeted, not weeks after the exposures have occurred and been found and exploited by attackers.

RDP on the Black Market

Compromised RDPs remain a vital aspect of multiple cybercrime operations, including ransomware, credential stealing, cryptocurrency mining, and Synthetic Identity Fraud (SIF). The method of obtaining access varies and may include using brute-forcing malware or simply purchasing already-compromised RDPs through illicit online communities. Additionally, individual sellers on Telegram and various top tier, vetted forums post advertisements for the sale of RDPs.  Illicit marketplaces offering RDP access to compromised devices have long been part of the cybercriminal underground. Many of these shops compete with one another for the lowest prices and the highest quality of compromised devices.

Marketplaces are not the only locations where RDP access is offered for sale. Flashpoint has noted that threat actors regularly offer network access via RDP, Citrix and SSH across many cybercrime forums.  For instance, reviewing posts from threats across middle and top tier cybercrime forums. Flashpoint2 has seen an uptick and a constant flow of remote network access being offered for sale.

The quality of compromised RDP access is determined by a number of factors, including:

  • Whether the device contains potentially profitable information, such as financial logins or other credentials.
  • Whether the device is in a location that makes it useful as a proxy tool to disguise attacks on other entities, such as financial and retail institutions.
  • When threat actors are targeting Western entities, compromised devices are more useful if they are located in Western countries. Threat actors often mask attacks via proxied connections, and proxied connections raise fewer red flags when they are from Western countries.

Several marketplaces exist specifically to sell RDP accesses, one of the more active ones is Ultimate Anonymity Service RDP Shop (UAS). In addition, RDPs may be found on account shops, in forums and over Telegram. Flashpoint analysts have observed prices of RDPs on UAS between US$4 and US$50. The price variation is based on factors including country of origin, victim operating system and administrative rights.

What does Expanse see across the private and public sector with regard to RDP?

  • Private industry:
    • In a recent blog, Expanse CTO and co-founder Matt Kraning detailed RDPs in the semiconductor industry. Namely, Expanse discovered 25 exposed RDP servers associated with five semiconductor organizations. 
    • A Fortune 500 services organization remediated 33% of critical certificates, 31% of unencrypted logins, and 40% of RDP services within 30 days of using Expanse’s cloud module.
  • Government:
    • In May 2020, Expanse discovered and reported 30+ publicly-accessible RDP servers belonging to a state agency.
    • In April and May 2020, Expanse surfaced and reported an RDP server belonging to a sitting politician with a certificate name that included his name.
    • Expanse helped a local police force identify and secure more than 70+ RDP servers in law enforcement infrastructure.

What’s the lesson from all this? Historically, in order to understand network and Internet communication, you needed to deploy sensors, gather logs, and install agents on any device that you needed to monitor. While those methods are adequate for monitoring assets that you know about and can install agents on, they don’t scale with the explosion of digital transformation activities like BYOD, cloud strategies, and IOT devices. To deal with RDP in a modern setting, security teams will require global context about communication between those assets and others which may indicate that you have a compromised asset within your organization. This outside-in perspective  provides insights about both assets and communication that may not be available via traditional monitoring systems.

In case you missed it, I recently wrote about the fundamental need to have an accurate and complete inventory of your organization’s assets before being able to drive an effective risk reduction program. Expanse commonly finds that organizations only have visibility into about 70% of their external facing assets. The other 30%—a big blind spot.

Expanse doesn’t require any installation or additional agents. Download a datasheet to learn how Expanse can help you reduce your attack surface. You can also request a demo and we’ll bring actionable insights about your enterprise to our very first meeting.



2 RDP Access to Hacked Servers Still a Thriving Business on Deep & Dark Web, Flashpoint