The rising trend of working away from the office, is starting to come with the very heavy price of network breaches. This is because, when a mobile worker is away from their office desk, chances of them connecting back to the office network via remote access technology is particularly high.
Barracuda Network’s Product Manager for WAF and ADC, Tushar Richabadas, pointed out, “Some organisations, may not have the right security policies in place, to ensure RDP or remote desktop protocol access is locked down behind a VPN (virtual private network).
“In many scenarios, organisations think that (this access) won’t be found and attacked, given that they are too small.
“This is not the case at all, and it hasn’t been so for a long time now, given the rise in automated attacks.”
He shared an article from the Bleeping Computer blog which reported RDP points are increasing, and along with it, ‘doors’ for hackers to sneak into corporate networks. Besides that, it also revealed RDP as a favourite method used by hackers to deliver ransomware, and that there may be a prevalent misperception that breaches could be avoided, just by encrypting the RDP channel.
Plugging the RDP hole
The good news is that when companies go to Barracuda to acquire a security solution, they have understood the need to secure all access to their internal networks, RDP included.
Tushar said, “With our next-generation firewall, we see a lot of requests for locking down and providing RDP access to internal resources from remote locations, using VPN capabilities to lock down access while using the firewall capabilities to prevent network attacks. More importantly, the Barracuda NG Firewall’s IPS module will intercept any known attacks using signatures and blocks them from reaching the RDP servers.
“With the Barracuda Web Application Firewall (WAF), we see customers looking to integrate with Active Directory for login control, and to prevent web attacks for RDP Web Access.”
No one is safe
No one particular industry has it worse than the next.
Tushar said, “If you leave your resources open to the Internet without locking them down, then you will be attacked – this is not specific to enterprises, or RDP holes.”
RDP just so happens to be extremely dangerous because access to these machines, would provide hackers with elevated user permissions.
“For instance, a standard RDP login, may have admin permissions. This means that anyone who logs in, will have full permissions to do anything, including shutting down your business!”
The Wannacry ransomware attack last May, reached devastating proportions because of SMB file shares that were open to the Internet without protection, as well. Server Message Block or SMB is the transport protocol used by Windows machines for filesharing, networking printers, and access to remote Windows services.
Tushar observed, “This had the effect of allowing Wannacry to spread very easily.”
Serious damage
The same could also happen with the RDP flaw, and not only because of the number of machines that it can be found on.
Tushar cautioned that the RDP flaw, could potentially impact Microsoft’s Active Directory (AD). AD is a Microsoft directory service for Windows, that domain networks that store information on network components, automates network management of user data, and authenticates and authorises users, with security policies.
“I can easily see a threat actor, using the open RDP access to infect the Active Directory server and cause serious damage,” Tushar warned.
In fact, the recent Black Hat event in Las Vegas, saw security consultants demonstrate how they could bypass internal firewalls, defeat network segmentation, and even abuse an infected organisation’s cloud domain controllers, to steal data.
Once the hacker gains access via the RDP, the organisation’s network environment becomes their playground.
So, far this is still a theoretical attack. Then again, so was the NSA exploit “EternalBlue”, before it was used to compromise the SMB vulnerability, and become so famous for causing the Wannacry ransomware to become an epidemic – to computers in over 150 countries around the globe.
Tushar said, “We can protect access from the Web, using both our Next Generation Firewall (NG Firewall), and Web Application Firewall.
“The NG Firewall provides advanced firewalling and VPN capabilities to protect against network threats, and to lock down access, while the WAF protects RDP Web access with access control that integrates with AD.”
Besides this, Tushar also imparted the following best practices for organisations to follow:
- Always use a firewall. Don’t ever let people connect to your internal networks directly from the Internet.
- Always use a VPN to tunnel remote connections to your RDP systems.
- Enforce 2-factor authentication.
- Don’t use default RDP ports. This is security by obscurity, but it helps against lazy attackers.
- Ensure that any user, has the lowest required admin access. Similarly, do not allow RDP access to users who do not need it.
