Remote Desktop Protocol remains one of ‘top attacked protocols’, report says

A new report by the Center for Internet Security says that organizations, including state and local governments, should double-check their implementation of Microsoft’s Remote Desktop Protocol, which remains one of the favorite target of ransomware actors and other cybercriminals, especially as the work-from-home era continues.

Many organizations use RDP servers, which are a standard feature in Microsoft Windows and other operating systems, to allow employees to connect to their networks. And while there are several steps that can be implemented to use RDP securely, there are millions of devices that leave their RDP connections exposed on the open internet, according to CIS.

“Open-source intelligence tells us that over 3.5 million internet-connected devices have RDP open publicly,” reads the report from the nonprofit, which runs the Multi-State Information Sharing and Analysis Center and its sibling ISAC for elections. ” To clarify, that does not mean that all of those devices are actively being exploited; however, it does mean that the surface area is vast for attackers.”

According to the MS-ISAC, RDP remains one of the “top attacked protocols,” especially for credential-stealing trojans like Emotet and Trickbot, which are frequently used as delivery devices for ransomware attacks. But the CIS report acknowledges that simply switching off the remote protocol is a drastic and unrealistic solution, especially as many workforces stay remote as the COVID-19 endures. Rather, the report recommends organizations that use RDP to make sure they’re implementing CIS’s recommendations for a secure remote environment.

“A more appropriate approach to this problem is for organizations that use RDP to use it securely,” it reads. “Just like a piece of wood can be used to build a home, it can also be used as a dangerous weapon, and the same concept applies here.”

Among the recommendations are placing RDP-enabled systems behind a virtual private network, enforcing stronger passwords and limiting the amount of time sessions can be idle before being automatically logged out. Many of these steps, the report states, can be achieved with no or little additional cost to organizations, especially if they’re using Remote Desktop Protocol as a cheaper alternative to more elaborate remote environments.

And Curtis Dukes, CIS’s executive vice president and general manager for best practices, said that many organizations may simply not be know how to properly configure remote systems.

“It’s not necessarily a vulnerability with the protocol itself,” he told StateScoop. “People don’t configure it correctly. [RDP] is an access vector being used by adversaries and with some simple configuration guidance, you can still use it for your workforce but reduce and limit that as an access vector.”

Along with familiar identity management steps like stronger passwords and two-factor authentication, Dukes said organizations can further limit access to their remote environment by tying individual accounts to IP addresses associated with actual endpoint devices, or only allowing users to log in through specific ports.

Dukes also said that software that uses RDP needs to be patched regularly. “If you’ve got missing patches, you’re basically allowing the adversary to quicken the attack,” he said.

He did credit Microsoft for frequently issuing security updates to RDP.

“This is a legitimate valued service that helps IT staff manage and increasingly remote workforce,” he said. “There just has to be more responsibility by the endpoint organization.”