Label

RDP and Other 
Remote Login Attacks

In January 2020 there were about 3 million Remote Desktop Protocol (RDP) servers exposed to the Internet. By March 2020 that number was greater than 4.5 million, a number that has stayed relatively stable since then.

Remote Desktop Protocol (RDP)

RDP is an increasingly attractive target for ransomware groups. Although phishing continues to be effective, it can be expensive to get a phishing campaign up and running, especially for new IABs or ransomware affiliates. Renting space from phishing botnets is costly and the returns are often dismal.
On the other hand, an attacker who manages to gain access to an RDP server has already achieved success. They’ve managed to infiltrate a victim’s network, and they can turn around and sell that access, or possibly use it to deploy ransomware directly. In addition to having almost no startup costs (a laptop + Internet access +  some searching/forum time), RDP scanning and exploitation provides almost instant gratification.
RDP access operations make a great entry point for many IABs and ransomware affiliates, but RDP is not the only type of remote access for which IABs are looking. As IABs and ransomware affiliates gain experience, they expand the types of remote access tools that they can exploit, looking for systems exposed to the Internet such as Citrix, TeamViewer, VNC, and any and all VPN connections they can find. If an exposed system provides access to a victim’s network, most likely there are IABs or ransomware affiliates scanning for it.

The Rise of RDP and Other Remote Accesses During the Pandemic

A Pre-Pandemic Problem

Ransomware attacks against RDP and other remote access systems were already increasing prior to the COVID-19 pandemic. According to a report from F-Secure, in the second half of 2019, remote access “manually installed” ransomware accounted for 28% of all ransomware attacks it observed. This was the largest percentage, followed by phishing at 24%.

Got Worse During the Pandemic

This trend was accelerated by the rapid shift to remote work during the pandemic. Many organizations that had limited or no remote workforce suddenly had to accommodate a fully remote (or close to fully remote) workforce, and they had to do it with the tools and systems to which they already had access. Most organizations initially thought they would switch to remote work for four to six weeks, then return to normal. If that was actually the case, it would be OK to “MacGyver” together a remote access solution. Little thought was given to security because IT and security teams had very little time to get a work-from-home solution up and running and assumed it would be temporary.
Unfortunately, weeks turned into months, and months turned into more than a year of remote work for many organizations. During the extended remote work period, how many of those organizations revisited the original remote work plan to ensure that it was properly configured and secured?

The increase in remote work ... 

... meant that most organizations had a larger attack surface. This vulnerability led to a significant uptick in cyberattacks overall, but an even bigger jump in ransomware attacks. Ransomware attacks were up 150% in 2020 and have likely risen even more in 2021. It's mentioned elsewhere on this site that it's very difficult to get accurate ransomware statistics. Often, consistency in reporting serves just as important a purpose. The FBI Internet Crime Complaint Center (IC3) has been keeping track of ransomware attacks reported to the IC3 since at least 2016. The chart to the right shows how ransomware has increased over the last few years after switching over from primarily an automated form of malware in 2016 and early 2017 to manually operated cyberattacks from 2018 on, note the consistent increase since 2018. 
FBI’s Internet Crime Complaint Center (IC3) ransomware complaints from 2016-2020
It’s worth noting that it was not just COVID-19 that caused the increase in ransomware attacks in 2020. The growth of RaaS and the constant headlines about multimillion dollar ransoms being paid was already attracting more cybercriminals to ransomware before the pandemic hit. However, the increased attack surface that mirrored the types of systems IABs and ransomware affiliates were looking to attack made the growth that much easier.

Ransomware and Healthcare 
During the Pandemic

As noted by Interpol, one sector that was hit particularly hard by ransomware during the pandemic was healthcare. Hospitals in particular were very susceptible to ransomware attacks during the COVID-19 pandemic.

There were 560 known ransomware ...

... attacks against healthcare providers in 2020, and the real number is probably even higher. The cost of these attacks against healthcare providers was estimated at $21 billion. That cost includes downtime caused by the ransomware attack, recovery costs, new infrastructure, and even ransom payments.
Healthcare providers, particularly hospitals and clinics, were under enormous pressure during COVID-19. That meant employees were particularly susceptible to phishing attacks. In fact, one study found that healthcare workers’ average click-through rates on phishing campaigns during the COVID-19 pandemic was 14.2%, most organizations strive to keep their click-through rates under 5%. It didn’t help that many ransomware groups specifically targeted healthcare providers as the pandemic reached its peak, knowing they would likely find a vulnerable employee who would be more susceptible to pay.

Several ransomware groups pledged ...

... not to attack hospitals during the pandemic. As security experts expected, most ransomware groups that took the pledge turned out to be liars (should we be surprised?). Not only did ransomware attacks against hospitals continue, they actually increased during the pandemic. In fact, less than two weeks after that “pledge” was made, L’hôpital de Saint-Gaudens was hit with a ransomware attack.
Interestingly, when the Ireland Health Service Executive (HSE), Ireland’s healthcare service, was crippled by Conti ransomware, the ransomware group gave HSA the decryption tool at no cost. Part of that was timing, the attack came just after the Colonial Pipeline attack, conducted by DarkSide and HSE was the second major target with large national repercussions. Seeing how much attention DarkSide received after that attack, the group behind Conti may have decided they didn’t need the hassle. It should be noted that even with a functioning decryption key, HSE still spent millions of dollars and took months to fully restore all systems.

Want More Like This Delivered Directly
To Your Inbox Every Month?

Sign Up To Receive Our 
Monthly Ransomware Newsletter

Don't Worry, We Hate Spam Too!

RDP Is an Easy Attack Vector 
for Ransomware

Depending on which ransomware groups are active and who’s doing the reporting, either phishing or RDP are the most commonly used initial access vectors for ransomware attacks. Unfortunately, the ease of finding exposed RDP systems, combined with the copious documentation on how to gain access to exposed RDP systems published on underground markets, means that they continue to be a lucrative initial access vector for ransomware groups.
Shodan’s view of servers with port 3389 exposed to the Internet

The image above shows a map of servers ...

... exposed to the Internet with port 3389 (the default port for RDP) open. The information comes from a query carried out on Shodan, the scanning company. It shows 4.8 million systems potentially vulnerable to credential stuffing or credential reuse attacks. This screenshot was taken in late August of 2021, but it is representative of findings over the last few years. This view doesn’t even account for organizations that are running RDP on another port.
Are all of the systems potentially vulnerable to a credential reuse or credential stuffing attack? No, not all of them are even running RDP, but millions of them are and most of them are at risk.
Ransomware affiliates and IABs don’t always rely on Shodan to find vulnerable RDP servers, though there are a number of tutorials available on underground forums showing how to do exactly that. The screenshot below is a tutorial from the XSS hacking forum. The title translates to roughly, “Everything you wanted to know but were afraid to ask about the Ransoms!!!”
Advice on how to get into ransomware, posted to the XSS forum
In the post, the author discusses the importance of RDP and how ransomware groups use RDP to gain remote access (see image below). The post specifically discusses using Shodan to find open RDP servers, as well as other tools that attackers new to ransomware can use to gain access to exposed RDP servers.
Same XSS post as above, focusing on the importance of RDP in ransomware. Top is the original Russian language post; the lower half is an English language translation.

Shodan, and other web-based tools ...

... are too slow for the more advanced IABs, so they rely on other tools that are readily available and still make the process of finding open RDP hosts easy.
One tool that is repeatedly mentioned across multiple underground forums for this type of work is Masscan. Masscan is popular in a lot of underground forums because of its speed, even on lower-end hardware. An IAB can scan large swathes of the Internet in a very short period of time. Claims for Masscan (unverified by this author) boast that it can scan the entire public IPv4 space in six minutes.
Whether or not the six-minute claim is true, Masscan is undeniably fast. By running it continuously against IP space in countries of interest, such as the United States, South Korea, Western Europe, or Japan, IABs can identify new RDP hosts as soon as they come online (see image below). This is especially important for hosts that aren’t always on, but available only for a limited time. (For instance, perhaps someone sets one up to work from home for the weekend.)
Sample Masscan scan of a Class C netblock for systems with 3389 open

An attacker might use a tool...

... like Masscan to collect a large number of potential targets, but those targets aren’t always going to be vulnerable. Some might not even be RDP servers (however, Masscan can be configured to pull banner data to ensure that the IAB is targeting only actual RDP servers). As the tutorial in the XSS post above mentioned, a number of brute-force password cracking tools can be used to try to gain access. There are also a number of specialized RDP tools, such as Sticky Keys Slayer, that increase the chances of successful infiltration.
A lot of tools have been developed for offensive security purposes to assist with RDP scanning for red teams, and these tools have been adopted by IABs and ransomware affiliates. Tools such as:
Masscan
Sticky Keys Slayer
STORM
Black Bullet
Private Keeper
Sentry MBA

Not only are they using these tools ...

... but they have put together tutorials and post videos to YouTube teaching other IABs and ransomware affiliates how to use them.
This is why protecting RDP installations is so important. There are ransomware groups looking for any exposed system that might grant them remote access to an organization. But RDP is the easiest and the one with the most documentation for how to gain access, so it presents an attractive option for both IABs just getting started and seasoned veterans.

Protecting Remote Access

Like it or not, remote work is here to stay.

Employees Like It

Employees like the freedom and flexibility that working remotely affords them, and while many miss the office, most employees appear to want a hybrid solution: being able to work in the office some days and remotely on others. Given that reality, organizations need to decide how they’re going to provide remote access in a way that’s convenient and secure.

Is It the Best Solution?

The question organizations have to ask themselves is: “Is RDP the best solution?” Whether the question is for remote work or remote administration, the answer is almost always no. RDP is challenging to set up securely, difficult to manage, and—as discussed—an easy target for cybercriminals looking to gain access. Organizations, large and small, should be looking to migrate to another solution sooner rather than later (see “Alternatives to RDP” farther down the page). Yes, a more secure access solution entails an additional cost, but setting it up still costs less than paying a ransom.

Securing RDP

Sometimes other solutions simply aren't ...

... an option. An organization may legitimately not have the budget for another solution, they may not have the technical ability to manage it, there may be technical debt that needs to be dealt with first, or they may have vendors that require RDP. For a myriad of reasons, some organizations may not be able to migrate. If that’s the case, everything possible must be done to secure RDP installations. It’s never going to be completely secure (no system directly connected to the Internet ever is), but the goal is to make it more secure than everyone else’s installation.
The first step is to understand how many of your organization’s RDP servers are exposed to the Internet. This is the step that, unfortunately, many organizations forget to take. It’s not enough to trust your asset inventory: That tends to get outdated very quickly. Instead, an organization has to conduct active scans, both internally and externally, to collect an accurate inventory of Internet-facing RDP tools. If nothing else, use the same tools the IABs are using to get the same view they do. These scans need to be run at different times across several days and re-run periodically (ideally continuously, but that’s not always possible) to find newly exposed RDP servers. 
This process often turns up an employee who enabled RDP so they could connect to a workstation from home, or a vendor using RDP for remote administration that no one knew about.

When the scans have been completed ... 

... the IT and security teams have to decide which systems actually need RDP and then disable remote access to those that don’t really need it. The compliance team (which is often the same group) also needs to reach out to vendors whose systems have RDP enabled for administration to fully document what, if any, security precautions are enabled.

For those systems that do require RDP access and need to be reachable from the Internet, consider the following steps:
Ensure that all RDP-centric logging is enabled, and label events from these servers high priority in the SIEM
In line with that, automatically block IP addresses that have multiple failed login attempts—block them at the firewall, not just the RDP server
Limit remote access to accounts who need it, and regularly review these accounts
Require multifactor authentication for all RDP servers
Depending on the geographic diversity of the employees who need remote access, limit the geographic range of IP addresses that can connect to the RDP servers. Again, do this at the firewall and don’t assume that blocking all IP addresses from Russia, or CIS countries, is enough. IABs from Russia and CIS countries do not attempt to login from Russian IP addresses. Also, consider blocking access from know VPN IP address space, as ransomware groups and IABs often use VPNs and proxies during the scanning process.
Watch out

Changing Ports Alone Is Not Enough

Some security professionals recommend changing the RDP from 3389 to a non-standard port in an effort to disguise the use of RDP. There’s nothing wrong with doing that, but making that change without also implementing some of the other changes outlined in this section doesn’t provide any additional security. IABs are aware of this trick, and the experienced IABs scan for RDP on all ports. They’re more interested in the banner response than which port is open.

Alternatives to RDP

When possible, organizations should move from RDP to a VPN for remote access. Many VPNs allow organizations to easily implement a lot of the security features listed in the previous section easily, or come configured to have those features enabled by default.

One of the biggest advantages of a VPN is ...

... it significantly reduces the external footprint of the organization. Rather than having to worry about maintaining and updating multiple systems, the VPN is a single system and has many built-in security features.
There are some downsides to using a VPN. Specific to ransomware, since the start of 2020, many ransomware affiliates have been exploiting known vulnerabilities in VPN systems. This is discussed in more detail on the "Exploitation" page, but organizations using VPNs must prioritize patching vulnerabilities in the VPN, especially those related to remote code execution (RCE).

In addition, unlike RDP, organizations ...

... tend to give VPN access to more employees. This increases the chances of a successful credential reuse attack on top of the standard credential stuffing attacks. This threat can be mitigated by requiring multifactor authentication on the VPN.

Along with regular patching and multifactor authentication, organizations can improve the security of their VPN by taking the following precautions:
Regular account audits to remove accounts from employees no longer with the company
Enabling logging and monitoring for things such as multiple failed authentication attempts and login attempts from strange locations (remember, a “strange location” may be an attempted login from a data center or AWS server)
Automatic lockouts for accounts with multiple failed authentications—ensure that employees know the process to get their accounts reinstated, so that the lockout causes minimal business disruption.
As with RDP access, restrict the IP address ranges that can connect to the VPN
Although VPNs are an improvement over RDP, they’re not immune from use in a ransomware attack. Some IABs scan for certain VPNs for credential reuse attacks or exploitation attempts. Take the necessary precautions to keep the VPN and remote employees secured.

Read More. Dominate Ransomware!
Download The Free 313 Page Book:
Ransomware: Understand. Prevent. Recover

Get the Book 
in Your Inbox

Download The 
"How To Prevent Ransomware"
Cheat Sheet

Grab this free PDF resource on how to prevent Ransomware
DOWNLOAD THE PDF

Share This Resource With Others

Embed The "How To Prevent Ransomware" resource on your site or blog using this code.

Share this Infographic On Your Site

Download The 
"Ransomware Backup Strategy"
Cheat Sheet

Grab this free PDF resource on how to prevent Ransomware
DOWNLOAD THE PDF

Share This Resource With Others

Embed The "Ransomware Resistant Backup Strategy" resource on your site or blog using this code.

Share this Infographic On Your Site

Want More?

This site is adapted from a book on Ransomware. 
If you would like to learn more keep reading ...
READ MORE ABOUT EXPLOITATION
envelopeuserslaptop-phone
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram
Share via
Copy link
Powered by Social Snap