RDP, the ransomware problem that won’t go away

The year 2020 will certainly be remembered as one of the most difficult and tragic years humankind has faced in modern times. The global pandemic changed the way we live and work in ways unimaginable, perhaps forever.

It also altered the cybersecurity landscape dramatically. The FBI reported a 300 percent increase in cybercrime in the first quarter of that year, and the rate and cost of ransomware attacks escalated at an unprecedented rate. Almost thirty attacks were reported in December 2020 alone, including the infamous $34 million demand levied against electronics giant Foxconn.

One of the primary reasons these attacks are growing rapidly is due to a shift from secure office locations to less secure remote work environments. Prior to the global pandemic, less than 4 percent of the population worked from home. The genie is out of the bottle now though, and there’s no going back. It’s no surprise then, that a recent Gallup poll found that 82 percent of business leaders plan to maintain a larger work-from-home (WFH) posture well after the pandemic.

While many organizations can benefit from a wider selection of job candidates and reduced maintenance and facility costs, for security professionals, work-from-home environments expand the attack surface they have to protect, and increase the risks for phishing, malware, and ransomware.

The target for today’s organized and sophisticated cybercriminals, like the ones operating Maze or Ryuk, isn’t a single computer, but an organization’s entire network. A majority of all ransomware attacks gain access to a victim’s network  through a “backdoor” approach that exploits weaknesses in Remote Desktop Protocol (RDP) software, or the way it is deployed.

The threat of RDP brute forcing has been widely reported, and brute force protection for RDP has been a “must have” for several years, and yet these attacks continue to succeed. The truth is that simply telling people to harden RDP isn’t working fast enough. Brute force protection needs to be more than just another item in an overworked system administrator’s ever growing task list. Instead, we need to see RDP brute forcing for what it is, an endpoint detection and response (EDR) problem, and handle it there.

Less well publicized are the vulnerabilities that continue to be turn up in popular RDP software. In 2020, security researchers found twenty-five vulnerabilities  in some of the most popular RDP clients used by businesses. These include:

  • FreeRDP, which is the most popular open-source RDP client on Github
  • Microsoft’s built-in RDP client with the executable file mstsc.exe
  • Rdesktop, another open-source RDP client and a default RDP client in Kali distributions of Linux

Many security professionals may not be aware of the reverse RDP vulnerabilities that can affect a remote machine rather than the host where the user is connected. The grunt work of inventory taking and patching remains as vital as ever.