Cybercriminals Take Advantage of Increased Use of RDP During COVID-19 Telework

The COVID-19 pandemic has changed “business as usual” for many organizations. One of the biggest changes is a sudden need for secure remote access solutions. The Remote Desktop Protocol (RDP) enables remote employees to work effectively from home, but it creates new potential attack vectors for cybercriminals. By deploying software defined perimeter functionality, an organization can take advantage of the capabilities of RDP in a secure and usable way.

RDP and COVID-19

The COVID-19 pandemic forced many organizations to rapidly transition to remote work in order to continue operating while keeping employees safe. In many cases, these organizations did not have sufficient company-owned devices to send each employee home with their own corporate device.

As a result, the use of RDP -  a Microsoft protocol designed to allow a user to remotely control a Windows computer - has grown significantly in response to the pandemic.

A teleworker can use RDP to remotely control their work machine, providing them with access to all of its files, software, etc. This not only allows employees to work from a variety of different devices but can help to solve data security and licensing issues. When working over RDP, any data on the target computer stays there, and an organization does not need to purchase additional licenses for employees to install critical software on the machines used for telework.

Cybercriminals Use Open RDP Ports for Credential Stuffing Attacks

RDP is a useful tool for organizations wishing to support a remote workforce. By exposing RDP to their employees, these organizations can allow employees to work from any computer capable of running an RDP client. However, the widespread use of RDP has also introduced a new attack vector for cybercriminals.

A crucial part of the process for setting up an RDP connection is authentication. In order to ensure that only legitimate users can gain access to the remote computer and the sensitive data and functionality that it contains, users must prove their identity before connecting. This is accomplished by having them log in with the same credentials that they would use if sitting in front of the remote computer itself.

This use of the employee’s login credentials is important for security. However, it also creates an opportunity for attackers to engage in credential stuffing and brute-force password guessing attacks. Using the exposed login portal, an attacker can test potential username and password combinations, including those exposed in past breaches (since many people reuse passwords across multiple accounts). While limits on failed login attempts can help to protect against these attacks, they can also result in legitimate users being blocked and unable to do their jobs.

If successful, an attacker gains access to the target computer and, from there, the enterprise network with the same level of permissions and access as the legitimate employee whose credentials were stolen. These attacks against RDP are increasingly common and widely used as an initial step for installing ransomware on an organization’s systems.

VPNs Are Not an Adequate Solution

The Remote Desktop Protocol is not secure on its own. Exposing the RDP authentication service to the public Internet makes it vulnerable to these credential stuffing and password guessing attacks. A solution to the problem is making RDP only accessible internally in the enterprise network. A virtual private network (VPN) can make this accessible to remote users. Once a user has connected via VPN, they have internal access to the enterprise network, at which point they can connect to their target machine via RDP.

The problem with this approach is that VPNs have a number of security and usability issues. VPNs are prone to vulnerabilities that enable an attacker to gain access to the network. If this occurs, VPNs provide them with full access to the enterprise network, the same worst case scenario as exploitation of RDP.

SASE Enables Secure, Usable Remote Access

The primary limitation of VPNs, in this case, is that they lack an integrated software-defined perimeter, also known as zero trust network access (ZTNA). SDP limits access to the target network based upon business needs, limiting an attacker to only the devices and data required for achieving their job role.

Secure Access Service Edge (SASE) is a next-generation remote access solution that integrates a full security stack and includes built-in SDP capabilities. This means that, in addition to providing higher performance and usability than VPNs, it is capable of monitoring network traffic for potential attacks.

SASE can detect and block the credential stuffing and brute force password guessing attacks commonly targeting RDP solutions. This enables organizations to deploy remote access solutions to their employees (like RDP) that are both usable and secure.

Post a Comment