RDP and other productivity-enhancing tools leave organizations exposed to attacks on their ever-changing attack surface
In a previous post, we discussed advances in technology that have made it possible to scan the entire public Internet much faster than ever before. Because of these advances, the thought that exposures can simply hide on the Internet is no longer true. You may think that your organization isn’t a target for cybercriminals, but the ease through which an exposure can be found opportunistically means that you may end up a victim anyway.
Every asset you connect to the Internet can put your organization at risk because they are easy to find and can provide a high-value foothold into your network for hackers to exploit. This blog details just one of many types of exposures that attackers will look for.
RDP Exposures and Remote Workers
In the past decade, the rise of the remote workforce has led to increased numbers of exposed assets, as non-IT employees attempt to access sensitive internal systems remotely. One of the technologies that enables this is a Microsoft product called remote desktop protocol (RDP). RDP enables remote workers to log into their corporate office desktop from anywhere using a graphical interface and work as if they are sitting at their desk. All they need is their username and password. Through RDP, the remote employee has the same access to important files and network resources as they would were they working in the office itself.
But by exploiting this technology, attackers can have the same power over the corporate office desktop that the employee has, too: they can access networked machines, steal credentials or data, or inject malware or ransomware such as Samsam into the remote system.
One aspect that makes RDP exposures difficult to remediate is how and where they persist. While some RDP exposures can show up on a specific workstation at the same IP address day after day, others may show up in unregistered IP space or IP space belonging to a coffee shop or hotel where a remote employee is working. It’s like playing Whack-A-Mole for an IT organization because it’s nearly impossible to detect these sorts of exposures quickly enough to track them down and take remediation actions. And most IT teams don’t have the tools required to detect these exposures outside of their corporate IT space.
Regardless of the intention of the employee, RDP exposures create a real security risk. It’s essentially like leaving a laptop that has access to your corporate network out on the street where anyone can try to enter credentials to get into that device. Adding to that, credential dumps happen every day, and most people don’t practice good password hygiene, meaning that just about any hacker can easily compromise the system.
So easily, in fact, that the FBI issued a public service announcement in September 2018 recommending that, “businesses and private citizens review and understand what remote accesses their networks allow and take steps to reduce the likelihood of compromise, which may include disabling RDP if it is not needed.”
Do you know if you have RDP exposures?
One might think that only an inexperienced administrator would fail to limit routing of such protocols onto the public Internet, but the reality is that these exposures are quite widespread across Fortune 500 organizations. In fact, Expanse observed that 70% of the Fortune 500 had at least one machine with RDP accessible in the last month.
These lapses can occur easily, and again, may seem innocuous. Any time an employee fails to correctly initiate a VPN connection they may be sending up a flare, beaconing to attackers that their machine is ripe for the taking.
And where there’s an exposure, there’s a marketplace. Cybercriminals are capitalizing on these types of exposures, recognizing that they’re likely an easy target for any opportunistic hacker. Anyone could go to the dark web and purchase a list of recently observed RDP exposures for as little as .00088 Bitcoin (or $3).
Protecting yourself and securing your exposures
The FBI’s announcement on RDP includes eleven suggestions to minimize your exposure to RDP exploits, specifically, “because RDP has the ability to remotely control a system entirely, usage should be closely regulated, monitored, and controlled.” Some key recommendations include:
- Audit your network for systems using RDP for remote communication.
- Enable strong passwords and account lockout policies to defend against brute-force attacks.
- Verify all cloud-based virtual machine instances with a public IP do not have open RDP ports, specifically port 3389, unless there is a valid business reason to do so.
- Minimize network exposure for all control system devices. Where possible, critical devices should not have RDP enabled.
These are good recommendations, but they are difficult–if not impossible–to implement. Because of the nature of RDP and its use by employees (who tend to be off premises, using home, hotel, or client networks), organizations must be able to see machines from the same perspective of the would-be hackers looking for exposures to exploit. Traditional tools simply can’t give organizations this visibility.
See yourself how an attacker sees you
Expanse continuously collects data about every public-facing device connected to the Internet. The data is then correlated with other information sources to attribute devices and infrastructure to organizations. This results in a comprehensive, global view of all of your assets, not just the ones that you know about. In short, your security and IT operations teams have the visibility and context needed to protect your organization from hackers performing reconnaissance.
Expanse discovers and tracks your global Internet attack surface and can provide a constantly up-to-date picture of your RDP exposures, as well as hundreds of other ways your organization may be exposed to attackers.