With remote workplaces becoming the “new normal,” businesses and institutions are struggling to provide their employees with secure off-premise access to critical sensitive systems and data. Large corporations and even previously obscure government entities are turning to well-known open Internet applications (Zoom, MS Teams, Skype, etc.) to keep employees both technically and socially connected to the parent organization while they remain physically separated.
The solution chosen by each entity is reflective of the resources (i.e. budget) dedicated to proactive cybersecurity. With the sudden paradigm shift to remote access required, some organizations have chosen to use embedded tools such as Microsoft’s Remote Desktop Protocol (RDP) or multi-OS based tools such as NoMachine to open up internal resources to remote workers. These tools can be quickly deployed, are client friendly and can provide the same level of access as on-premise connections.
Tools typically come with encryption and configurable network parameters to “obscure” network activity from would-be attackers, leaving the user with a false sense of security. One has to spend only minutes on research to find the plethora of inherent vulnerabilities in Remote Desktop Applications. Specifically, the use of RDP in Microsoft’s cloud computing solution has provided a lucrative target for hackers who are especially interested in finding and exploiting RDP vulnerabilities. Naturally, it is important to keep RDP updated with the latest patches. Some major known vulnerabilities in earlier RDP versions include:
· In May 2019, a patch was released to fix a major vulnerability known as BlueKeep, which allowed for the possibility of remote code execution. According to Microsoft, the vulnerability was “wormable,” meaning it could be self-propagating, with the potential to cause widespread problems.
· Earlier versions such as 6.1 can reveal all the usernames and profile pictures of users on the RDP server.
· Very early versions allowed computers to be compromised by worms and unauthenticated clients and to “man-in-the-middle” attacks.
· Version 5.2 is vulnerable, where a hacker can eavesdrop on sessions, or hijack sessions.
Some additional research on the open Internet or the Dark Web reveals that much of the targeting and credential harvesting work has already been done for would-be criminals. Access to thousands of corporate and government systems can be purchased for as little as 10 USD. While alarming, there are some basic steps any organization can take to limit their exposure on the Internet. For example:
· Put RDP ports behind a firewall that can only be accessed using a VPN.
· Specific trusted hosts should be whitelisted.
· Follow strong password protocols, enable multi-factor authorization, and put in place lock-out policies to block brute force attacks.
· Disallow RDP to be used by administrator accounts.
· Enable automatic updates for the client/server software you are using and disallow access by clients that have not been updated.