More employees are working remotely due to the current coronavirus outbreak. Despite being a salvation for many businesses, remote work also brings some cybersecurity challenges.
According to Shodan research, the search engine for IoT devices, IT departments globally are exposing their companies to risk due to remote work, and unsafe implementation of RDP (Remote Desktop Protocol).
“The Remote Desktop Protocol (RDP) is a common way for Windows users to remotely manage their workstation or server. However, it has a history of security issues and generally shouldn’t be publicly accessible without any other protections (ex. firewall whitelist, 2FA),” say Shodan researchers.
It appears that the number of devices exposing RDP to the Internet has increased significantly during the course of the past month, with a growth of 41.5%. Undoubtedly, this growth is tied to Coronavirus (Covid-19) situation.
According to Shodan’s statistics, the number of RDP instances went up after the initial Microsoft bulletin on Bluekeep in May 2019. Then, the number dropped significantly in August once the so-called DejaBlue vulnerabilities were revealed, impacting newer versions of RDP.
A common tactic we’ve seen in the past by IT departments is to put an insecure service on a non-standard port, also known as security by obscurity. The numbers follow very similar growth (36.8%) as seen for the standard port (3389). In addition, 8% of the results of Shodan’s research remain vulnerable to BlueKeep (CVE-2019-0708).
Risks Stemming from Remote Desktop Work
Remote Desktops Exposed on the Internet
By default, only administrator-level users can log into RDS. Nonetheless, there are some cases where suspicious users on the internet may attempt connections if remote desktop is exposed to the internet, opening the door to brute-force attacks.
Man-in-the Middle Attacks (MiTM)
Remote Desktop encrypts data between client and server, but it doesn’t authenticate or verify the identity of the Terminal Server, leaving communications open to interception by malicious actors. If a threat actor is able to hack into the connection between client and Terminal Server via ARP (Address Resolution Protocol), spoofing or DNS (Domain Name System) spoofing, this could lead to a MiTM attack.
In an environment using mixed or earlier-version clients, it should be noted that the encryption setting is typically “Client Compatible.” This could default to weak encryption, allowing for easier decryption of sensitive information.
Denial of Service (Network Level Authentication)
Some Terminal Servers do not have Network Level Authentication (NLA) configured, leaving a gap in defense of Denial of Service attacks. Without forcing a client computer to provide user credentials for authentication prior to the server creating a session for that user, malicious users can make repeated connections to the service, preventing other users to legitimate use it.
How to Improve Security of Remote Desktop during the Coronavirus Outbreak
Limiting RDP Users
Due to the coronavirus, this precaution may not be as possible as in normal situations. However, businesses can limit who has login access as well as who can add or remove accounts from the user group. This process should be monitored and restricted to avoid any incidents.
Using a Virtual Private Network (VPN)
Using a VPN connection can add an extra layer of security to the system. VPN requires that a connection is made to the secure private network before it is made to your server. That secure private network is encrypted and hosted outside of your server. Any connection attempts made from outside IP addresses will be rejected.
Using a Remote Desktop Gateway
RDP gateways remove remote user access to your system and replace it with a point-to-point remote desktop connection. This means users navigate to a login page requiring credentials where they can connect to the network via a firewall. When paired with a VPN, this enhances security even further.
Cybersecurity researchers also recommend the use of Transport Layer Security Authentication, high level encryption, and Network Level Authentication.