What is RDP?
Remote Desktop Protocol, or RDP, is a tool that many organizations leverage to allow users to access systems remotely. It’s built into all modern versions of Windows, is easy to enable, typically uses the same username and password used to access other systems (laptop, desktop, email, etc.) and offers a full desktop experience across the network (LAN or WAN / Internet). Because of this, many organizations make RDP available so that their employees and trade partners can access their systems remotely.
When an attacker is looking for a target, one of the first things that they do is to identify the attack surface; what ‘things’ are available and, of those things, what can they attack. Some examples of this are the recent WannaCry outbreak and the more recent Equifax breach. In both cases, vulnerable software was exposed (Windows file shares and Apache Struts respectively), attackers found the software, identified the vulnerabilities and launched their attack. WannaCry resulted in more than 230,000 computers in more than 150 countries being infected within the first day and the Equifax breach resulted in sensitive financial / identity data being exposed on more than 145 million people.
Why is RDP dangerous?
Like the exposed Windows file shares and Apache Struts software, a system exposing Remote Desktop to the Internet at large is an attack surface that, if exploited, could be devastating to an attacker. Unlike the WannaCry outbreak or EquiFax breach though, an attacker would not have to know or have access to any type of attack tools (Metasploit, etc.) to do damage to an exposed Remote Desktop Server, just a username and password and rudimentary understanding of Windows.
Is this really a problem?
According to Shodan.io, there are currently more than 591,000 Remote Desktop servers exposed to the Internet including not just supported versions of Windows like Windows Server 2008, Windows Server 2012, Windows Server 2016, but also a number of Windows Server 2003 and Windows XP systems. Many of these systems list the usernames of logged on or available users, meaning an attacker only has to guess the password, since the username is displayed. What’s more, it can be trivial for an attacker to associate the exposed RDP server to a domain name and then simply search password dumps (for example, LeakedIn) or even Twitter feeds like @dumpmon
What can I do?
Through the end of the year, Piratica is offering a free vulnerability scan for any organization that requests it. This scan will attempt to identify any attack surfaces adn give a brief report summarizing the top five threats found (if any) with some context information about the findings. If you have an internal or outsourced IT support staff, the information can be forwarded along to them for analysis and so that any necessary changes can be made. If you (or they) would like to discuss options for additional testing or analysis, we would be happy to help. If you do not have an IT support team, we can work with you to help you find a suitable support company and can work with them to build a security strategy for your organization.
Misc / Erratta
- Remote Desktop Protocol – https://en.wikipedia.org/wiki/Remote_Desktop_Protocol
- WannaCry – https://en.wikipedia.org/wiki/WannaCry_ransomware_attack
- Server Message Block (SMB) – https://en.wikipedia.org/wiki/Server_Message_Block
- Equifax – https://en.wikipedia.org/wiki/Equifax
- Apache Struts – https://en.wikipedia.org/wiki/Apache_Struts_2
- Shodan.io – https://www.shodan.io
- LeakedIn – http://www.leakedin.com