FBI warns about Remote Desktop Protocol vulnerability; Bromium provides comments for how to avoid RDP
As you might have seen late last week in several security publications, The FBI's Internet Crime Complaint Center (IC3) is warning companies and government agencies about the dangers of leaving Remote Desktop Protocol (RDP) endpoints exposed online.
"Allowing Remote Desktop Protocol (RDP) servers to be directly accessible from the public internet is a terrible idea. The RDP service exposes a very broad attack surface that over the years has been subject to a number of serious vulnerabilities, and is surely harboring more.
Even absent vulnerabilities in the RDP service itself, most RDP servers are configured to allow login using just a username and password. This places a huge burden on users to pick strong passwords that cannot be guessed, something that users are rarely able to do. Since password reuse is unfortunately quite common practice, even if a user's password has good complexity it may be guessable as a result of a breach at some other organization or web site. Certainly it is desirable to enable features to limit the ability of attackers to have many attempts to guess passwords, but this may come at the expense of legitimate users being locked out as a result of password hammering attempts by attackers.
Enabling some kind of second factor to login to the RDP server is desirable. This could be limiting access to a defined set of source IP addresses where users are expected to connect from. Requiring smart card login or using Azure AD's two factor authentication with a mobile app would help too.
Once attackers have managed to compromise a user account on an RDP server, it is relatively easy for them to get long term persistence. One approach might be to put something in the user's profile that runs whenever the user logs in (legitimately or otherwise) and establishes communication with a C&C server. Alternatively, local privilege escalation vulnerabilities are common place and could be exploited to get administrator access on the local system, from where it might be possible to harvest credentials of more privileged domain users.
One interesting approach that has been used by attackers to get persistence is to tamper with Windows' accessibility features (intended to help users with disabilities), which are active even on the login screen. It is possible to interfere with the accessibility system such that if the "sticky keys" feature is invoked by pressing the shift key five times an administrator cmd shell will appear over the top of the login dialogue of the RDP session, providing password-less administrator access!
Reducing the attack surface can be done in a number of ways. In some situations, using Microsoft's Network Level Authentication feature is useful to avoid exposing the login screen, but in the kinds of situations where remote access is required this may not be possible.
By far the best approach is to avoid exposing RDP servers directly to the public internet at all, and to put them behind a VPN. Ideally, connecting to the VPN would require more than just a user name and password, perhaps a known source IP or a certificate installed on the connecting machine. For extra security the private key for the certificate could be stored in the Trusted Platform Module (TPM) or a smart card so that it couldn't be removed from the client machine and used elsewhere."
Ian Pratt, co-founder and president of Bromium.