Ransomware attacks are increasingly using the Remote Desktop Protocol as the initial entry vector, taking advantage of the fact that many enterprises struggle to balance the risks of exposing RDP and the advantages of being able to access machines in multiple locations.
The Institute for Critical Infrastructure and Technology highlighted the growing use of ransomware and other types of “disruptionware” in 2019 against critical infrastructure and industrial networks. Adversaries targeting operational technology (OT) environments with attacks that are designed to disrupt business operations pose “an existential threat to critical infrastructure operators,” ICIT wrote in its paper.
ICIT suggested that the extensive use of remote desktop tools in OT networks may be one of the reasons why disruption campaigns are so successful. For many organizations, maintaining a dedicated staff at each location, or sending a technician to travel to each site to manually work on the systems is “deemed too expensive compared to remote access,” ICIT noted. Adversaries get on to the machine via exposed RDP ports, such as TCP port 3389, and install malware or laterally move through the network to get on other systems.
During the course of a ransomware attack, the attackers may use the exposed RDP ports to continue causing more damage, the authors suggested in the paper.
“While the victim is deciding whether or not to pay the ransom, the adversary retains access to the system, allowing them to install backdoors, remote access Trojans, or other malware that can facilitate future attacks or provide access-as-a-service to other attackers,” ICIT wrote.
RDP as the First Step
ICIT was focused on the scenario where attackers can take advantage of exposed RDP ports during the course of a ransomware attack, but the reverse, where attackers use RDP as the first step, is also something enterprise defenders need to think about.
Ransomware in its early days focused predominantly on consumers and relied on phishing emails or malware exploiting software vulnerabilities to infect machines. Nowadays, as attackers focus more on corporate (and municipal) networks, RDP has become a popular initial entry vector, according to recent statistics from security company Coveware. In the first quarter of 2019, 63.5 percent of ransomware infections relied on RDP as its initial entry point, followed by phishing at just 30 percent. Just a little over 6 percent of ransomware attacks exploited software vulnerabilities to get on the target machines, Coveware said.
Dharma is one example of ransomware using RDP to get on the machine. SamSam and CrySiS use RDP to move within the network and spread the infection to other systems. In the past year alone, there were three major attack scenarios—an Iranian cyber-espionage group; a Chinese-state sponsored actor; and a healthree ransomware extortion scheme— using RDP first.
"Once credentials are harvested the network can be surveilled, endpoint protection is sidestepped, backups are wiped/encrypted, and, finally, primary servers are encrypted," Coveware wrote.
The wave of ransomware attacks which hit 22 networks in Texas is believed to have originated with the MSP. Many MSPs use remote desktop to manage customer networks and systems.
Attackers may be brute-forcing weak (or missing) passwords for RDP accounts using a list of common credentials, or taking advantage of a vulnerability in the protocol. ICIT noted that despite repeated warnings and reminders, over 800,000 systems worldwide remained unpatched for the BlueKeep vulnerability, of which over 100,000 was in the United States. Attackers may just be buying RDP credentials from criminal marketplaces, Coveware suggested.
"We have to recognise that in many cases victims are targeted merely due to the cybercrime ecosystem," Coveware said. The victim is selected specifically because that is the RDP credential the attacker purchased.
Security company Vectra recently looked at telemetry from its Cognito threat detection and response platform and found that RDP attacks have been on the rise over the past 18 months. Vectra found that manufacturing (20%), finance (16%) and retail (14%) were the top three most-attacked industries, followed by government (12%), healthcare (10%) and services (8%). The company also connected the RDP attacks to ransomware.
Enterprises should block RDP 3389 for as much as possible, and in cases where RDP is necessary, protect the system by putting it behind a firewall. There’s no reason for RDP to be accessible from the broader Internet. RDP should also be monitored, as that is one way to be able to tell if an attacker is moving through the network.
“Cyber criminals know that RDP is an easy-to-access administrative tool that allows them to stay hidden while carrying out an attack,” said Chris Morales, Vectra’s head of security analytics. Security teams need to “understand” how RDP is used in the newsroom--that attackers perform internal reconnaissance and move laterally in an attempt to identify and access systems with sensitive data.