Microsoft’s proprietary Remote Desktop Protocol (RDP) allows remote management of Windows machines as long as they are connected to a network, which of course they almost certainly are.
The trouble is that it can easily be used for nefarious purposes such as lateral infection or somewhat surprisingly, strolling through the front door. The use of RDP for both of these activities is something that the operatives at ITC Towers are dealing with on an almost daily basis, or so it seems.
The now relatively sane (and we use that term advisedly – when you realise that Mr McAfee was born in The Forest Of Dean a number of things become apparent, not least his incredible keyboard skills facilitated by six fingers on either hand) folks at McAfee have released a very interesting report which reveals the quite disturbing fact that many enterprises have machines running RDP open to the Internet and just waiting to be compromised. Furthermore, you don’t have to go searching for these machines yourself, just go onto ‘The Dark Web’ (mwahahaha) and you can buy the details for as little as $3 and as much (!!) as $19. Complete with access credentials. Including Government and critical infrastructure equipment. What could possibly go wrong? A lot.
The use of RDP for lateral infection after a breach is just as much of a problem. The scenario is something like this:
The attacker sends out some phishing/spear phishing emails to your users. One, or more (the statistic is something like 36%) opens it and the attacker has access to their machine.
Once on the machine the attacker dumps the contents of the LSASS.EXE process and uses a tool like MimiKatz to extract cached credentials, probably, but not necessarily, offline. We discussed this at length last week.
Those credentials will almost certainly include the cached credentials of a local or domain admin, if not other techniques will be used to escalate privileges like pass the hash/ticket. Credentials harvested will be tried against any box using RDP and the Pwnage begins.
There are a number of things that you can and SHOULD do to protect your business from RDP abuse:
- Disable RDP unless you really need it.
- Use only hardened images, which include protection for the LSASS.EXE process.
- Do not expose machines to the Internet on RDP, ever – scan your external ranges for visibility.
- Mandate the use of two-factor authentication for machines running RDP or the accounts that can login.
What we can guarantee you is that no matter how difficult the above recommendations look, they are like a fart in a thunderstorm compared to the remedial activities should it all go the way of the pear and you find yourselves compromised.
ITC can help you to understand your cyber posture (including your RDP exposure, of course), protect yourselves (even against phishing attacks), defend yourselves and if push comes to shove, remediate. If you would like to discuss any of these, please contact us at: firstname.lastname@example.org or call 020 7517 3900.
There has been some good news this week. The shady bankers Vitaly Korchevsky and Vladislav Khalupsky (no guessing where they are from), about whom we have talked at some of our cyber events (don’t miss one when you are invited), have been convicted of hacking into newswire feeds before publication and using the protected information to buy and sell financial instruments for the precious profitsess.
We wonder what devious plans they will hatch whilst in Joliet? As some of you know, catching a Katy isn’t always a bad thing.
Happy Anniversary to the long-suffering Mrs W.