Very High
Insecure RDP
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Add References:
Very High
(1 user assessed)
Very High
(1 user assessed)Unknown
Unknown
Unknown
Insecure RDP
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Topic Tags
Description
There are active attack campaigns as of October 2020 targeting RDP servers without multi-factor authentication enabled.
Add Assessment
Ratings
-
Attacker ValueVery High
-
ExploitabilityVery High
Technical Analysis
Over the past couple of years (2018-2020) attacks against RDP have become more and more common. Recent improvements in attacker-related tooling can be contributed to generally available and mature projects targeting RDP and a number of remotely exploitable vulnerabilities being disclosed.
Memory Corruption Flaws
One of the best examples of this is CVE-2019-0708 (AKA BlueKeep) which was an unauthenticated, remotely exploitable use-after-free in RDP. This particular vulnerability was able to be developed to yield semi-reliable code execution and is widely utilized by attackers. Following this, CVE-2019-1182 (AKA DejaBlue) was discovered as well. This particular bug was a heap corruption within the server’s dynamic channel handling. While this vulnerability has not to this date had exploitat code released, it also contributed to the popularity of RDP vulnerability research in 2019.
Why RDP As An Attack Surface?
Regardless of code execution-type vulnerabilities, RDP is an attractive attack surface for the following reasons:
- It’s commonly accessible internally and relatively accessible externally
- It’s common that non-administrative users can authenticate to it, offering an initial foothold to attackers
- The service can yield version information about the host operating system
- Established sessions can be hijacked using publicly documented tools techniques and procedure (TTPs)
- In addition to offering a graphical interface to the desktop session, it can also be used to mount drives and transfer files
When compared to an interface such as SMB for the purpose of lateral movement, RDP offers a much larger degree of freedom for the attacker. Using SMB, attackers are able to use a small number of techniques to achieve code execution such as PSexec. Alternatively, RDP through it’s graphical interface and file transfer capabilities offers attackers near limitless possibilities. This number of possibilities directly improves the attackers evasion capabilities as they can easily adapt and shift techniques that are blocked through whatever sort of endpoint protection maybe present. Furthermore, SMB as an attack surface is very well know and widely documented. For those reasons, and the fact that there are choke points from an attacker workflow perspective, there are mature defenses and controls in place (such as event monitoring) that are either not applicable to or are less effective when compared to RDP.
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportGeneral Information
Exploited in the Wild
Would you like to delete this Exploited in the Wild Report?
Yes, delete this reportReferences
Additional Info
Technical Analysis
Description
In September and October of 2020, researchers noted an uptick in attacks against Microsoft’s Remote Desktop Protocol (RDP) and related compromises. RDP has become a popular target in the past several years, thanks in part to high-profile vulnerabilities like BlueKeep. RDP can be exploited to compromise organizations when, for instance, RDP servers have weak credentials and multi-factor authentication is not enabled.
For further details on attacker activity, RDP exposure, and trends over time, Rapid7 Labs has a full blog post here.
Rapid7 analysis
Spencer McIntyre’s analysis offers an insightful overview of the ways attackers have targeted RDP over the past two years; the protocol’s attack surface area is better understood by broad research and security audiences now than it was in years past, which can also mean a jump in disclosed vulnerabilities (some severe) and mature RDP attack tooling.
RDP attacks are nothing new. But, as we’ve all heard many times in 2020, an exponentially larger portion of the workforce suddenly moving to primarily (or entirely) remote work is new, and security and IT teams are still facing challenges ensuring the safety of their organizations’ remote workers. RDP offers more and stealthier lateral movement opportunities for attackers than protocols like Microsoft’s Server Message Block (SMB), as Spencer notes. Offensive security researchers have also heard frequently from penetration testers and red teams that there’s high demand for more robust RDP exploitation support in common tools and attack workflows—the implication being, of course, that there’s notable attack surface within even more mature organizations engaging pen testing services.
Guidance
- Enable and configure Network Level Authentication (NLA). This forces users to authenticate before establishing an RDP session, which adds a layer of defense to exposed RDP servers.
- Set an account lockout threshold and monitor login attempts to detect brute force and credential stuffing attacks.
- Require strong passwords and add multi-factor authentication to RDP hosts.
- Consider restricting the remote IPs that can access RDP-enabled systems.
References
Report as Exploited in the Wild
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
This is so great!
From “https://www.microsoft.com/security/blog/2020/10/07/best-practices-for-defending-azure-virtual-machines/” “If you are already allowing RDP access to your Azure VMs from the internet, you should check the configuration of your Network Security Groups. Find any rule that is publishing RDP and look to see if the Source IP Address is a wildcard (*). If that is the case, you should be concerned, and it’s quite possible that the VM could be under brute force attack right now.”
As a mitigation for on prem servers you can use duo.com (vendor that provides two factor to rdp connections) to protect RDP and the built in Microsoft firewall to limit access to certain IP addresses.