Many IT services providers use a remote desktop support solution to help manage their customers’ computers. Remote support connections are often done via the remote desktop protocol (RDP). However, security experts warn that RDP leaves a listening port open on the target machine, which would-be attackers could exploit. The truth is RDP vulnerabilities aren’t the only things you need to be concerned about. Weak password protection on the remote connection can make it easy for cybercriminals to break into the session and gain access to everything on a user’s computer. What’s more, sometimes human error leaves the door wide open for the bad guys to get in.
If you’re serious about your customers’ cybersecurity—and you absolutely should be if you want to keep their business—then you need to find a remote support solution that takes security just as seriously.
What type of attack is RDP vulnerable to?
Let’s look at some of the different types of cyberattacks a cybercriminal can execute via a remote access vector using RDP. The proprietary protocol developed by Microsoft provides access to a client from a server via encrypted TCP traffic. Poorly secured RDP gives hackers a potential entry point into enterprise networks. Hackers are well aware of the extensive use of RDP within organizations and target it as a method to proliferate their attacks.
RDP sessions are susceptible to man-in-the middle attacks where the hacker intercepts all communications sent between a client and a terminal server using Address Resolution Protocol (ARP) spoofing or Domain Name System (DNS) spoofing. They can use this to spread ransomware or implant arbitrary executables within organizations.
RDP sessions are also prone to in-memory credential harvesting. Capturing and selling RDP credentials on the Dark Web has been lucrative for a lot of hackers. xDedic was a notorious online marketplace where cybercriminals would buy and sell access to hacked servers, as was revealed in a Kaspersky report published in June 2016. The report warned that 250,000 credentials for RDP servers around the world appeared to be for sale for as little as $6 each. The site went underground and continued to operate until 2019 when it was shut down in a joint effort by the FBI and several European countries authorities.
DENIAL OF SERVICE
Hackers can also use a brute-force attack to gain access to RDP credentials. During an attack, a malicious actor will scan a range of IP addresses, look for open ports used by RDP, and use a brute-force method, such as a dictionary attack, to attempt to determine the password. This brute-force attack may serve as a denial of service (DoS) against the operating system’s memory or storage, disrupting its normal function, and preventing other users from accessing it.
What else could go wrong?
Even if you’re not using an RDP-based remote desktop solution, as with any piece of software, bugs or insider threats may arise sooner or later. Some are malicious, some are accidental, but either way they can do serious damage.
A researcher at SafeBreach in 2019 discovered a critical security exploit in the TeamViewer admin permissions. Cybercriminals could have used it to load and execute malicious payloads in a persistent way, each time the service loaded.
WEAK PASSWORD PROTECTION
In the absence of a multifactor authentication mechanism, a hacker is free to guess a user’s password. If passwords are weak or reused—by technicians or employees—across several accounts, the breach becomes easier for a motivated hacker with access to compromised credentials from past data breaches.
SOCIAL ENGINEERING VIA REMOTE ACCESS
It can still be easy to fall for scams in this day and age. In a recent Reddit thread, a user detailed how someone allegedly from China asked him to remotely use his computer in exchange for payment, probably looking for a fall guy to scam others. In this case, the attack vector would have been used with the computer owner’s consent, exploiting his weakness at the prospect of making easy money.
Choosing the right remote desktop access tool
As businesses increasingly expect their services providers to keep them secure, it’s important to make sure the tools you use are up to the challenge.
The integration between SolarWinds® Take Control and Passportal is designed to sidestep the vulnerabilities mentioned above and help you remain secure in harsh environments.
Secure Access: Take Control uses advanced encryption protocols and a separate viewer and agent for remote connections. Instead of a direct connection between two machines, this routes traffic through an intermediary that’s much harder for hackers to penetrate.
Control user permissions: Take Control applies the principle of least privilege, by allowing assigned techs to have access to specific accounts only, mitigating the risk of insider attacks.
Protect logins: Any solution worth its salt must include two-factor authentication (2FA). Take Control offers authentication apps for 2FA including Google Authenticator, Duo Mobile, Authy, and Microsoft Authenticator. These apps increase security by preventing SMS message interception from cybercriminals or from those who gain access to email accounts.
Secure password protection: Take Control includes Passportal, an integrated password manager that injects credentials into a system without the technician ever seeing them. The integration between Take Control and Passportal helps save technicians’ time, gain efficiency in the remote connection process, and increase security. To learn more about this integration, download our feature sheet.
Start a free trial of SolarWinds Take Control Plus today.
Marilena Levy is product marketing manager, SolarWinds MSP