Attacker Value
Very High
(1 user assessed)
Exploitability
Very High
(1 user assessed)
User Interaction
Unknown
Privileges Required
Unknown
Attack Vector
Unknown
8

Insecure RDP

Exploited in the Wild
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Lateral Movement
Techniques
Validation
Validated

Description

There are active attack campaigns as of October 2020 targeting RDP servers without multi-factor authentication enabled.

Add Assessment

General Information

Exploited in the Wild

Reported by:

References

Additional Info

Technical Analysis

Description

In September and October of 2020, researchers noted an uptick in attacks against Microsoft’s Remote Desktop Protocol (RDP) and related compromises. RDP has become a popular target in the past several years, thanks in part to high-profile vulnerabilities like BlueKeep. RDP can be exploited to compromise organizations when, for instance, RDP servers have weak credentials and multi-factor authentication is not enabled.

For further details on attacker activity, RDP exposure, and trends over time, Rapid7 Labs has a full blog post here.

Rapid7 analysis

Spencer McIntyre’s analysis offers an insightful overview of the ways attackers have targeted RDP over the past two years; the protocol’s attack surface area is better understood by broad research and security audiences now than it was in years past, which can also mean a jump in disclosed vulnerabilities (some severe) and mature RDP attack tooling.

RDP attacks are nothing new. But, as we’ve all heard many times in 2020, an exponentially larger portion of the workforce suddenly moving to primarily (or entirely) remote work is new, and security and IT teams are still facing challenges ensuring the safety of their organizations’ remote workers. RDP offers more and stealthier lateral movement opportunities for attackers than protocols like Microsoft’s Server Message Block (SMB), as Spencer notes. Offensive security researchers have also heard frequently from penetration testers and red teams that there’s high demand for more robust RDP exploitation support in common tools and attack workflows—the implication being, of course, that there’s notable attack surface within even more mature organizations engaging pen testing services.

Guidance

  • Enable and configure Network Level Authentication (NLA). This forces users to authenticate before establishing an RDP session, which adds a layer of defense to exposed RDP servers.
  • Set an account lockout threshold and monitor login attempts to detect brute force and credential stuffing attacks.
  • Require strong passwords and add multi-factor authentication to RDP hosts.
  • Consider restricting the remote IPs that can access RDP-enabled systems.

References