Threat actors are always looking for a way in, so what could be considered a compliance issue can easily, and quickly, devolve into compromise. In this case, the attacker managed to successfully carry out reconnaissance and open external communication all through their initial access to the RDP port. When unnecessary services are left open to the Internet, compromise is inevitable – it is simply a matter of time. Prior to the events described above, Darktrace had observed incoming connections on RDP and SQL from a large variety of rare external endpoints, suggesting that the server had been probed many times before. RDP vulnerability: Dangers of exposed servers As a result, the threat was neutralized before the attacker could achieve their objectives, which may have included crypto-mining, deploying ransomware, or exfiltrating sensitive data. Darktrace’s cyber experts quickly determined the scope and nature of the compromise using the AI and began the remediation process. The organization’s own internal services were unavailable, so they reached out to Darktrace’s 24/7 Ask the Expert service.
Microsoft remote desktop protocol windows#
The attacker then attempted lateral movement via SMB service control pipes and PsExec to five devices within the breach device’s subnet, which were likely identified during the network scan.īy using native Windows admin tools (PsExec, WMI, and svcctl) for lateral movement, the attacker managed to ‘live off the land’, evading detection from the rest of the security stack. Given that the device was subject to a large volume of external RDP connections, it is likely the attacker brute-forced their way in, though they could have used an exploit or bought credentials off the Dark Web.Īs incoming connections on port 3389 to this service were commonplace and expected as part of normal business, the connection was not flagged by any other security tool.įigure 3: A device makes an anomalous RDP connection to a rare external host Lateral movement In other words, the port was configured to accept network packets.ĭarktrace detected a successful incoming RDP connection from a rare external endpoint, which utilized a suspicious authentication cookie. In this real-world attack, the target organization had around 7,500 devices active, one of which was an Internet-facing server with TCP port 3389 – the default port for RDP – open.
Breakdown of an RDP compromise Initial intrusion According to the UK’s National Cyber Security Centre, RDP is now the single most common attack vector used by cyber-criminals – particularly ransomware gangs. This led to a dramatic spike in successful server-side attacks. RDP usage surged as companies adapted to teleworking conditions, and it became almost impossible for traditional security tools to distinguish between the daily legitimate application of RDP and its exploitation. In the months following the COVID-19 outbreak, the number of exposed RDP endpoints increased by 127%. For less than $5, an attacker can purchase direct access to their target organization.
Selling RDP access is a booming industry because it provides immediate entry into an organization, removing the need to design a phishing email, develop malware, or manually search for zero-days and open ports. xDedic, one of the most notorious crime forums which once boasted over 80,000 hacked servers for sale, was finally shut down by the FBI and Europol in 2019, five years after it had been founded. ‘RDP shops’ selling credentials on the Dark Web have been around for years. Since it gives the user complete control over the device, it is a valuable entry point for threat actors. Remote Desktop Protocol (RDP) is a Microsoft protocol which enables administrators to access desktop computers. With the shift to remote working, IT teams have relied on remote access tools to manage corporate devices and keep the show running. This blog will unpack the attack and the dangers of open RDP ports. By Sunday, all the organization’s internal services had become unusable. Late on a Saturday evening, a physical security company in the US was targeted by an attack after cyber-criminals exploited an exposed RDP server. Oakley Cox, Principal ICS Analyst | Tuesday August 17, 2021
0 kommentar(er)
