The industry wide use of Remote Desktop Protocol makes it a tempting target for hackers

Microsoft’s Remote Desktop Protocol (RDP) is a popular and ubiquitous means of accessing, controlling, and managing remote computers, both for individuals and organizations. RDP is the underlying technology for Microsoft’s Remote Desktop Connection (RDC), a tool built into Windows but also available for other platforms such as macOS, iOS, and Android. But its very popularity makes RDP an inviting and exploitable avenue for hackers to gain access to remote computers. Fortunately, there are measures you can take to control and customize RDP in your organization to better safeguard it against attackers, according to Vectra’s 2019 Spotlight Report on RDP released on Wednesday.

Due to its prevalent use, RDP is a vulnerable attack surface and will likely continue to be so in the near future, according to Vectra. That’s because cyberattackers typically follow the « path of least resistance » in their efforts to hack into computers and systems. The strategy is to try to use existing administrative tools to gain access into a network and then introduce malware to scope out the target’s environment and ultimately steal data from an organization.

Vectra detected 26,800 suspicious RDP behaviors in more than 350 deployments from January to June of 2019, according to the report. A full 90% of the 350 deployments exhibited RDP attack behavior detections. Manufacturing and finance organizations were hit by the highest level of RDP detections with 10 and 8 detections per 10,000 workloads and devices, respectively. Beyond these two industries, retail, government, and healthcare were among the top five at-risk sectors for RDP attack detections.

Distribution of all suspicious RDP behavior detections by industry

In September 2018, the FBI warned that the malicious use of RDP « has been on the rise since mid-late 2016, » Vectra’s report noted. Several ransomware attacks, such as Samsam and CrySiS used RDP to laterally move inside of networks. In its warning, the agency even advised companies to disable RDP if it’s not needed.

But many organizations weigh the advantages of using RDP against the possibility of a hacker tapping into it. In particular, IT managers in manufacturing companies are likely to prefer the massive cost and time savings of centralized management offered by RDP over the potential abstract risk of a cyberattacker exploiting it, says the report. RDP also offers business value to companies as it allows them to centrally manage computers and systems around the world.

Why is RDP so vulnerable as a connection protocol? Does it have inherent weaknesses, or is it too often configured in such a way that makes it susceptible to exploitation?

Certainly, RDP is prone to security vulnerabilities, which are discovered on a regular basis, forcing Microsoft to alert users and patch the holes. In August, Microsoft announced several new RDP vulnerabilities that could be executed without proper credentials or input from the user, allowing an attacker to remotely access and control a system. In that announcement, even Microsoft recommended disabling Remote Desktop Services if not needed. But it’s still the wide spread use of RDP that makes it an open target.

« RDP is no more or less vulnerable than any other administrative protocol, which means the strength of RDP is dependent on how strong is the administrative authentication used within the organization, » Chris Morales, head of security analytics at Vectra, told TechRepublic in an email. « What makes RDP attractive is the ubiquity of the protocol as RDP is present on every Windows system since 1996 and is widely used in every industry. RDP does have exploits that allow an attacker to bypass authentication and execute their code on a remote system, but this is the same as any software. »

Rather, the weaknesses of RDP more often rest within its configuration, or misconfiguration.

« The issue with RDP is most often in the configuration and deployment within the organizations themselves, » Morales told TechRepublic. « There are cases of shared administrative access, RDP exposed to the Internet, and a general lack of awareness of how RDP is used inside the organization. »

The first step toward more effectively securing RDP against exploitation is by controlling its access.

« Organizations must limit access to remote desktop management and use strong authentication, » Morales said. » And organizations must assume compromise is possible and focus on learning the who, what, where, and when of remote desktop access. This includes properly assigning user access rights and reducing instances of shared credentials so organizations can concentrate on how and when that access is used. »

The next step is to monitor the use of RDP.

« Monitoring remote access behaviors is essential to increase the ability to detect a cyberattacker’s internal reconnaissance and lateral movement within the organization’s network, » Morales added. « Visibility into this and other attacker behaviors is dependent on the implementation of proper tools with visibility into network behaviors. »

Beyond those pieces of advice, organizations must make themselves aware of new exploits discovered in RDP via Microsoft’s support bulletins and download the necessary patches. An article from Machine Design entitled Five Issues Facing Secure Remote Access to IIoT Machines also offers helpful advice for managing RDP, especially within a manufacturing environment.