What Is It?<\/h3>\n\n\n\n
As the name suggests, Microsoft\u2019s built-in Remote Desktop Protocol (RDP) allows for remote access over a network connection from one computer to another.<\/p>\n\n\n\n
It works by opening a dedicated channel on the default RDP listening port (3389) over which data packets \u2013 including keystrokes, mouse movement, and desktop display \u2013 are sent, via Transmission Control Protocol and Internet Protocol (TCP\/IP).<\/p>\n\n\n\n
With a successful RDP connection, comes full access to the remote device, including its files, network, and servers; and this access grants the user complete remote control. Handy! …or dangerous? We\u2019ll get to that.<\/p>\n\n\n\n
History<\/h3>\n\n\n\n
It\u2019s been around since the mid-90s, created by software company Citrix<\/a> and eventually introduced in 1998 as \u2018Terminal Services\u2019 in Windows NT 4.0 Terminal Server Edition<\/a>, with the purpose of giving non-Windows and terminal users the ease of use and benefits of Windows; previously unavailable Windows-based applications could be displayed and interacted with on remote clients following execution on a server.<\/p>\n\n\n\n Its original goal of providing powerful capabilities to less capable computers still stands today, however common use-cases have expanded to include:<\/p>\n\n\n\n \u2022 System administrators providing all manner of assistance and maintenance to less tech-savvy staff from the comfort of their ergonomic desk chairs.<\/p>\n\n\n\n \u2022 Employees accessing corporate devices remotely while away from the office, be that due to traveling or \u2013 the more likely scenario in light of the ongoing pandemic \u2013 Working From Home (WFH).<\/p>\n\n\n\n The second scenario has become the more prominent use for RDP, with forced WFH leading to the normalization of teleworking.<\/p>\n\n\n\n There\u2019s no arguing that RDP is pretty handy at the very least, and remarkably powerful at best. But as a wise man (a.k.a. Uncle Ben from Spiderman) once said: \u201cWith great power comes great responsibility.\u201d<\/p>\n\n\n\n In other words, if you\u2019re allowing employees to remotely access company devices via RDP, you\u2019re going to have to put a lot more thought into the cyber security measures in place within your organization.<\/p>\n\n\n\n The reason being, RDP is the single most common attack vector used by cyber criminals<\/a> to gain access to the target system, prior to launching the attack; a fact that\u2019s particularly true for ransomware actors.<\/p>\n\n\n\n Why is it such a popular choice of vehicle?<\/p>\n\n\n\n Prior to the \u2018big reveal\u2019 (i.e., the moment a successful attacker lets you know that they\u2019ve encrypted all your files and now own your soul), stealth is number one on the cyber criminal\u2019s priority list.<\/p>\n\n\n\n The longer they can remain undetected on the target system, the more they can accomplish \u2013 and unfortunately, the worse it\u2019s going to be for you.<\/p>\n\n\n\n RDP provides native access to another device: allowing attackers to \u2018live off the land\u2019. In other words, they can utilize anything built into that device\u2019s OS (e.g., PowerShell, Command Prompt, Registry Editor, etc.) to accomplish their goal\/s on the target system.<\/p>\n\n\n\n Ease of use also comes into play here. RDP provides the remote user (i.e., the hacker) an exceptionally easy method by which to navigate a computer: a user interface, eliminating the need to work through tools such as PowerShell to perform malicious actions.<\/p>\n\n\n\n It’s for these reasons that RDP is a hacker\u2019s best friend: it provides the ability to remain undercover, move around the remote device with the utmost ease, and establish a very secure foothold from which to launch the attack.<\/p>\n\n\n\n Although RDP is built-in to the Windows operating system, its default settings are far from safe and are notoriously arduous to configure securely. Several vulnerabilities also exist that allow for its exploitation on unpatched Windows systems \u2013 the most severe of these known as \u2018BlueKeep\u2019 (CVE-2019-0708<\/a>).<\/p>\n\n\n\n The wormable (i.e., self-replicating) remote code execution vulnerability allows the attacker to execute arbitrary code on the target system after sending a specially constructed request to Remote Desktop Services (RDS) via RDP \u2013 without the need for authentication.<\/p>\n\n\n\n No user interaction is required to exploit this vulnerability; if you\u2019re got unpatched Windows systems with RDP enabled, you\u2019re ripe for the exploiting in the eyes of cyber criminals looking for an easy ride.<\/p>\n\n\n\n The most prominent reason attributed to RDP\u2019s popularity as an attack vector is how readily available it is.<\/p>\n\n\n\n When enabled, RDP listens by default on TCP port 3389, accepting packets based on its configuration and other security measures in place. An exposed port is one that accepts packets from the internet.<\/p>\n\n\n\n The COVID-19 pandemic saw a\u00a0huge jump in exposed RDP ports<\/a>\u00a0in the first three months of 2020 and the numbers have continued to climb over the past year and half. A simple search on\u00a0Shodan\u00a0at around 6pm last night revealed 4,833,6671 exposed default RDP ports, up from 3.5 million in January 2020. By this morning, that number had increased by 31,393.<\/p>\n\n\n\n Yes, you read that right: more than thirty thousand RDP ports we\u2019re opened around the world, listening on TCP port 3389 \u2013 exposed to the internet \u2013 overnight.<\/p>\n\n\n\n By the time you\u2019ve read this, I\u2019d put money on that number having jumped another few hundred thousand. Heck, at the rate we\u2019re going, it might have cracked the 5 million mark! (Not a feat to be celebrated\u2026).<\/p>\n\n\n\n Leaving your ports exposed to the net can be equated to handing a cyber criminal one of your corporate PCs and inviting them to have a crack at getting into it. Sure, it\u2019s password protected, lockout enabled etc., but the thought of an ill-intentioned hacker being that up close and personal \u2013 within a hair\u2019s breadth of your files, network, and servers \u2013 is enough to make any executive cringe.<\/p>\n\n\n\n But that\u2019s essentially the same threat posed by RDP: anyone can scan for port 3389, see what IP addresses they hit, and go for it, which explains why it\u2019s such a desirable and widely used attack vector.<\/p>\n\n\n\n RDP\u2019s accessibility is furthered by dedicated websites that exist solely for the purpose of selling valid RDP credentials \u2013 for as little as $3 USD (how\u2019s that for cheap and nasty!). The already easy job of gaining a foothold via RDP becomes even easier, with the steppingstone of brute forcing credentials now removed.<\/p>\n\n\n\n In order to use RDP as the attack vehicle, bad actors first need to authenticate to establish the remote connection (unless they\u2019ve exploited a pre-authentication CVE, such as BlueKeep). This requires valid credentials.<\/p>\n\n\n\nCommon Use Cases<\/h3>\n\n\n\n
The Dangers<\/h2>\n\n\n\n
It\u2019s an Attractive Target<\/h3>\n\n\n\n
It has Known Security Issues & Vulnerabilities<\/h3>\n\n\n\n
It\u2019s Very Accessible<\/h3>\n\n\n\n
It\u2019s Dangerously Cheap<\/h3>\n\n\n\n
Access & Attack Overview<\/h2>\n\n\n\n
![\"\"\/](\"https:\/\/www.adminbyrequest.com\/Images\/Blogs\/Picture1.png\")
<\/figure>\n\n\n\n