A recent McAfee Advanced Threat Research team blog post discusses the world of dark web RDP shops – sites specializing in the sale of access to machines via Microsoft’s Remote Desktop Protocol. There are many things for sale on the dark web, from novelty MDMA pills to stolen drone documents. While illegal products and classified information are concerning, sites selling remote access to systems poses an exigent threat to public safety.
Image source: IBTimes
What is RDP?
Remote Desktop Protocol is a proprietary protocol developed by Microsoft to allow users to connect to a remote machine through a GUI. The connection supports transfer of video, audio, clipboard data, printer data and keyboard & mouse traffic. RDP can be configured to encrypt traffic with RSA’s RC4 cipher with a 56 or 128-bit key. Remote Desktop is an invaluable tool for administrators and remote workers but presents a serious security risk when configured with weak credentials and left exposed to the internet.
So, what’s the appeal for threat actors?
Imagine that you’re trying to break into a bank vault. You spent months carefully digging a tunnel from the basement of the dilapidated theater across the street. You’ve assembled a highly-skilled crew: femme-fatale safe cracker, Vegas-native security system specialist, the best conman in the tri-state area and some muscle in case things go south. Months of planning and thousands of dollars have been spent pulling off this heist and acquiring specialized tools. Your tunnel finally intersects the bank’s vault room. Heart pounding, you carefully cut your way through the reinforced concrete and, at long last, face your ultimate challenge – the grey, implacable face of the best vault money can buy.
The elevator dings behind you. Your crew spins around in unison, now-sweaty palms gripping the stippled texture of their weapons. You shout, “Who’s there?” with an adrenaline-fueled voice over the barrel of your pistol.
“Hey guys, chill. It’s me, Donnie, the getaway driver. Remember me?” Donnie steps out of the elevator, arms raised, a set of keys in one hand and a Post-It note in the other. “I was sitting in the car and saw the manager taking off. He left his keys in the door and there’s this thing on the keyring that turns the alarm off.”
“Like a car alarm, right? Then I checked out his office and found this.” Donnie hands the note over. It reads, “Vault Code – 3389”.
You punch the code in, the vault opens like you own the place. Everyone gets paid, but you can’t help but think about the money you could have saved with an easy way in. And next time you’ll try Donnie’s approach.
That’s what having RDP secured with weak credentials and exposed to the internet is like. Someone with a low level of technical skill can breach your security totally with minimal effort.
Malicious hackers benefit from using RDP as it avoids needing to employ specialized tools. Why bother with creating a spear phishing campaign, hoping you get some poor soul to open an attachment and waiting for that malware payload to successfully connect to your C&C when you can easily (and cheaply) purchase direct access to a system?
Does that sound bad? It is.
McAfee researchers examined a fresh Windows Server 2008 R2 entry on sale for $10 at one of the larger remote access shops. For that princely sum, an attacker would gain administrative access to machines controlling security and building automation systems at an international airport in the USA. The team was able to determine the target machine’s full IP address (the last two octets are redacted on the shop site until you’ve paid) by using the Shodan search engine and narrowing results by the city and default RDP port number (3389).
The query returned three results. WHOIS queries on those results determined that they belong to a major international airport. Exploring further, three accounts were available on the Server 2008 R2 machine for RDP connections. The Administrator account was obvious. The other two usernames were determined to be related to two companies that specialize in airport security – one in building automation and the other in video surveillance and analytics. Researchers were also able to determine that the computer was joined to a domain likely related to an inter-terminal passenger transport system. This machine and the available accounts are in a great position on the network to cause major damage and support lateral movement.
RDP is a great administrative tool and enables remote workers to chill in their adult jammies while cranking out a pivot table. It makes life easy for all, including cyber criminals. Fortunately for you, Defender of the Network, there are a few basic security steps you can take to harden RDP.
Use complex passwords + multi-factor authentication to defend against brute-force attacks. Strong passwords greatly increase the time needed to guess a password and multi-factor authentication provides an additional layer of security for accounts.
Enforce user & IP lockout policies when too many failed connection attempts. This prevents an account from being compromised and maintains the system’s integrity. If a specific account is attacked several times it may give insight into the attack.
Log connection attempts (successes and failures). Logging is important to identifying attacks, identifying the source of attacks and mitigating attacks in progress.
Use a VPN to wrap RDP up in a more secure shell. Don’t expose any machines directly to the internet that don’t have to be. Using a VPN provides stronger encryption as well as an excellent audit trail and nonrepudiation.
Remember: your security doesn’t have to (and can’t) be perfect. In many cases it just has to be better than the next guy down the IP block. Taking simple steps to harden your systems, applying the principle of least privilege to user access and looking at your network’s profile from the WAN side of the firewall are the first steps down the road of remote access security.