Since the coronavirus pandemic began, companies have been forced into configuring remote working environments to support employees working from home. But, are they doing this safely?
A recent spike in the number of exposed remote desktop protocol - RDP - services suggests this is one approach businesses are taking. However, the risks associated with exposing these services to the internet are almost endless if misconfigured or out of date.
Attacks against RDP and how to mitigate
A recent post by Shodan - a search engine for internet-exposed devices - showed that in the past month alone RDP devices have risen over 41%. While this can allow employees access to their work machines from home, RDP has numerous critical flaws, new and old. Two in more recent memory are BlueKeep and the family of issues known as DejaBlue.
The clear spike in RDP use brings the total number of services on Shodan to over 4.3 million globally.
A common tactic in protecting an RDP service is to simply not run it on the default registered port of 3389.
Shodan revealed that port 3388 also showed a sharp increase of over 36% over the past month. This method of obscuring a service has been proven to provide no security.
Attackers are likely to perform full port scans for vulnerable services and ‘hiding’ a service in this way will provide zero security. No Sysadmin should be relying on security through obscurity in 2020.
What makes RDP such a risk in today’s business computing? Throughout 2019, Microsoft issued multiple security patches for critical vulnerabilities in its RDP implementation.
The first of these was dubbed BlueKeep - CVE-2019-0708 - which was first reported in May of 2019 thanks to the UK’s National Cyber Security Centre. BlueKeep works by sending a specially crafted packet while unauthenticated to RDP services resulting in remote code execution. It was found to affect Windows versions 2000 through to Windows 7.
To make BlueKeep worse it can be weaponized in order to self-propagate, infecting multiple target systems in a single attack. Microsoft likened it to the infamous WannaCry attack which caused the NHS to almost come to a standstill and stated that up to 1 million devices may be vulnerable. Such an attack now would be nothing less than devastating, resulting in the unnecessary loss of life.
Similar to WannaCry, patches were released by Microsoft and even backpatched older versions of their OS which had reached end of life. Even now, Shodan reports that 8% of the current RDP services still remain vulnerable to BlueKeep, which could be an estimated 336,000 devices.
Is it safe to assume that versions after Windows 7 are not vulnerable to remote code execution vulnerabilities?
Well after the disclosure of BlueKeep, Microsoft’s own security teams delved deeper into the underlying issues and uncovered a plethora of new issues under the umbrella term DejaBlue.
The disclosure of these can be seen in the graph of port 3389 usage where many RDP services came offline in late 2019. These new vulnerabilities notably contained two more remote code execution flaws - CVE-2019-1181 and CVE-2019-1182 - but not only on old versions but also up to and including Windows 10.
So, what can be done to mitigate the risks associated with RDP? Well, first and foremost patch every service exposed to the internet and have a regular patching program implemented. This protects the service against any known vulnerabilities, but those unknown such as those developed or bought by Advanced Persistent Threat - APT - crews may still be able to exploit the service.
Even more simply, do not have RDP exposed in the first place. RDP has a track record of remote code execution - RCE - vulnerabilities being found and is not a secure service. An alternative, which many companies are already using, is to use a virtual private network - VPN.
In the past month, Shodan reported an increase in VPN servers of 33% mostly due to coronavirus. When using a VPN, the RDP service can only be exposed locally to those connected via the VPN service.
Alternatively, remote desktop gateway - RDG - is a way to use RDP over HTTPS and implement the access control principles, allowing for more fine-grained controls over full access VPNs.
The last thing that any business needs in this testing time is to fall victim to a ransomware attack due to vulnerable RDP services. Ensuring that remote working environments are secure and frequently reviewed should be at the forefront of any security approach in the coming months.