Security Experts:

Organizations Warned of Dual Threat Posed by RDP and Disruptive Ransomware

In a paper warning about the evolution of what it calls 'disruptionware', the Institute for Critical Infrastructure Technology (ICIT) highlights ransomware and RDP access as the current focus of a new development that "sees adversaries disrupting business continuity" posing "an existential threat to critical infrastructure operators."

The RDP/ransomware threat isn't limited to the critical infrastructure. It highlights the shift from random to targeted attacks. It is predicated on the dual reluctance or failure of industry to close RDP and the remarkable degree of access it affords the attacker. On the former, for example, ICIT notes (PDF) that "despite months of warning, as of July 2, 2019, 805,665 systems remain vulnerable to the BlueKeep RDP exploit, with an estimated 105,170 systems located in the United States."

On the latter, RDP provides complete and remote administrator control over the accessed device. "While the victim is deciding whether or not to pay the ransom," says the ICIT, "the adversary retains access to the system, allowing them to install backdoors, remote access Trojans, or other malware that can facilitate future attacks or provide access-as-a-service to other attackers."

The reluctance of industry to close down RDP comes from its value as a business tool for remote maintenance. "Manual maintenance is deemed too expensive compared to remote access solutions, especially if the systems are located overseas," says the ICIT.

In a separate study (PDF) of the same subject, security firm Vectra points out that RDP allows a centralized maintenance team to monitor and fix systems at multiple manufacturing plants at once. "The cost savings on this are substantial," it says, pointing out that each trip a technician makes onsite for a machine fix has been estimated to cost in excess of $2,000.

It also notes that the access provided by RDP is so great that a ransomware attack may be the last effect rather than the first motive. "Having gained access to the infrastructure, reconnoitered the network, moved laterally through it, and exfiltrated all they want," Vectra's head of security analytics Chris Morales told SecurityWeek, "ransomware might be the final act of getting as much money as possible."

Vectra analyzed the RDP issue from the context of its own telemetry. Over a six-month period between January and June 2019, its Cognito threat detection and response platform detected 26,800 malicious RDP behaviors against its customers. These are categorized as pre-access (the system detects multiple attempts -- brute force attacks -- against RDP), and post-access (where the machine learning detects suspicious behavior -- such as, for example, attempts to use an unexpected keyboard language).

Normalizing these figures to allow comparison between different industry sectors, Vectra found that manufacturing (20%), finance (16%) and retail (14%) were the top three most-attacked industries, followed by government (12%), healthcare (10%) and services (8%). The incidence of attacks against the service industry is interesting. Morales pointed out that the Texas ransomware attacks came via their MSP. "With many MSPs using RDP to access their clients, this is a worrying threat vector," he commented.

Not all RDP attacks are necessarily related to potential ransomware attacks -- it could be a criminal or nation-state seeking access for PII or industrial espionage. However, the high incidence of RDP probes against manufacturing correlates with the rise of ransomware against manufacturing in 2019. ICIT points out that LockerGoga ransomware alone has been responsible for attacks against "the French engineering consulting firm Altran, the Norwegian aluminum manufacturer Norsk Hydro, and US chemical companies Hexion and Momentive."

Its primary concern is that the increasing digitization of industry means that IT and OT can no longer be treated as separate entities, and that IT attacks via RDP could lead to ransomware disrupting industrial control systems within the critical infrastructure.

The problem is that RDP is considered too valuable for it to be discontinued. It would be possible for Microsoft to update the software so that it requires a strong password, but that might cause problems for existing customers already using weaker passwords. "It has introduced 2FA," Morales told SecurityWeek, "but this is not installed by default." Responsibility for securing RDP and defending against RDP attacks thus falls upon the user.

ICIT suggests that the need to have RDP (port 3389) should be assessed, and if it is necessary, connections to specific trusted hosts should be whitelisted with everything else blocked. "Any system which needs to have an open RDP port," it says, "should be placed behind a firewall and require users to VPN. Additionally, you should perform regular checks to ensure the RDP port is not open to the public Internet."

Vectra points out, however, that standard defenses do not work well against zero-day exploits. "In August 2019," it notes, "Microsoft announced four new critical RDP vulnerabilities, all of which are 'pre-authentication', meaning they can be executed without proper credentials or input from the victim. Strikingly, these exploits worked for Windows 7, 8, and 10. As Windows 10 is currently the latest and most popular Windows operating system, this suggests that RDP attacks will persist, even as organizations update their IT systems."

Vectra's standpoint is that RDP is such a dangerous threat vector that users should not rely upon standard defenses that can be bypassed, but that the behavioral detection offered by modern machine-learning threat detection systems is required to detect any unexpected RDP behavior.

Related: Hackers Using RDP Are Increasingly Using Network Tunneling to Bypass Protections 

Related: Ransomware Targets SMBs via RDP Attacks 

Related: AZORult Variant Can Establish RDP Connections 

Related: RDP Servers Can Hack Client Devices: Researchers 

Related: RDP Increasingly Abused in Attacks: FBI 

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.