Skip to main content
Tag

RDP

||

Windows RDP Servers Targeted In DDoS Attacks

By NewsNo Comments

Windows RDP Servers Targeted In DDoS Attacks

Windows Remote Desktop Protocol (RDP) servers are being used to weaponize ‘Distributed Denial of Service’ (DDoS) attacks.

Windows RDP Servers Exploited for DDoS Attacks

Windows Remote Desktop Protocol (RDP) servers are being used to weaponize ‘Distributed Denial of Service’ (DDoS) attacks. By default, the default TCP 3389 and / or UDP 3389 provides authenticated remote virtual desktop infrastructure (VDI) access to Windows-based workstations and servers.

These default ports, if used, are much easier to identify on remote networks (including over the internet) and from that those systems can be susceptible to ‘Distributed Denial of Service’ (DDoS) attacks.

What is a Distributed Denial of Service (DDoS) attack?

Distributed denial-of-service attacks target websites and online services. The aim is to overwhelm the processes running on them with more traffic than the server or network can accommodate, and therefore causing an outage or critical loss of service. Pinging a server from a single source will not cause a DDoS attack, but amplify that several thousand times by threat actors and severe loss of service can occur.

Rob Brown, Head of Customer Success said, “Back in February 2020, last year we learned a DDoS attack crippled Amazon Web Services. This has been recorded as the largest DDoS attack in history.”

How to Prevent RDP Attacks

No server with Remote Desktop Services running should be configured with the default port and we recommend changing it immediately. With Syxsense Secure, you can scan every device and easily identify which devices need to be corrected.

The following Powershell command will change the port to another selected port — we recommend using a nonstandard port.

If you are using Syxsense Manage or Syxsense Secure, you can deploy these Powershell scripts right from the console.

Get-ItemProperty -Path
‘HKLM:SYSTEMCurrentControlSetControlTerminal
ServerWinStationsRDP-Tcp’ -name “PortNumber”

Experience the Power of Syxsense

Syxsense is a cloud-based solution that helps organizations manage and secure their endpoints with ease. Automatically deploy OS and third-party patches as well as Windows 10 Feature Updates for Microsoft, Mac, and Linux devices.

Syxsense demo

Schedule Your Syxsense Demo

Syxsense combines IT management, patch management, and security vulnerability scanning in one powerful solution. Get started today.

Schedule My Demo
January 23, 2021
Love0
||

Incomplete Patch for Reverse RDP Attacks Leaves Clients Vulnerable

By Blog, Patch ManagementNo Comments

Incomplete Patch for Reverse RDP Attacks Leaves Clients Vulnerable

Although Microsoft previously patched a vulnerability related to reverse RDP attacks, researchers discovered that third-party RDP clients are still completely vulnerable.

RDP Vulnerabilities Continue to Be Exploited

Remote Desktop Protocol (RDP) has been used for over a decade to provide Windows client PCs and devices to remotely access and administer remote computers. However, it’s also one of the most notorious services for increased risk.

Over the years, attackers have wreaked havoc across nearly every country by exploiting RDP vulnerabilities and costing organizations (private and public) millions of dollars in recovery. After all this time, it’s no surprise that these remote flaws exist and yet organizations continue to leverage it.

The Danger of Reverse RDP Attacks

In a blog post published Thursday, Check Point explained how a Reverse RDP attack works. In their example, a user attempts to connect to a remote device within the corporate network; however, the device has already been infected by malware. That same malware then allows the remote device that same ability to attack the user’s device. The attack is known as Reverse RDP as the user thinks they’re controlling the remote device but it’s indeed the opposite.

Reverse RDP isn’t brand new. In fact, Check Point highlighted it to the industry at BlackHat 2019 and later in October the same year, Microsoft patched the flaw (CVE-2019-0887).

“We assumed this patch meant the vulnerability was indeed fixed,” Check Point stated regarding their initial findings, “and we even mentioned it in our previous blog post: ‘…the fix matches our initial expectations, our Path Traversal vulnerability is now fixed.”

Check Point then learned that the update itself actually entails its own flaws that allows an attacker a workaround. To mitigate, Microsoft again released an update to alleviate the flaw (CVE-2020-0655).

The Problem with the Patch

Upon further investigation, Check Point most recently discovered that Microsoft’s patch does not address the core vulnerability in an associated API that triggered the problem in the first place (PathCchCanonicalize).

“We fear that just like the Reverse RDP scenario that we just demonstrated the implications of a simple bypass to a core Windows path sanitation function may pose a serious risk to many other software products. We therefore urge all software developers and security researchers to be aware of this vulnerability, and make sure their own software projects are manually patched.”

At this time, Microsoft has yet to offer any explanation as to why it hasn’t resolved the issue, although Check Point stated they’ve notified the vendor.

How to Take Action

“IT staff in large enterprises that use Windows should install Microsoft’s February Patch, CVE 2020-0655, to make sure their RDP client is protected against the attack we’ve presented in BlackHat USA 2019. The second part is addressed to developers worldwide. Microsoft neglected to fix the vulnerability in their official API, and so all programs that were written according to Microsoft’s best practices will still be vulnerable Path-Traversal attack. We want developers to be aware of this threat, so that they could go over their programs and manually apply a patch against it.” – Omri Herscovici, Check Point

How can IT departments accurately check to make sure RDP is checked, as well as other potential security holes? The answer is simple: use a vulnerability scanner.

RDP is just one piece of the puzzle—a popular one, no doubt, but there are other flaws to look out for. Backdoors, crypto mining, peer-to-peer applications, open ports, SNMP, and even the configured Windows policies. All must be checked routinely for potential misconfiguration or susceptibility. Now that employees are working from the couch with a corporate device, or even their own, the need for heightened security has never been greater.

Syxsense Secure offers a thorough definitions library so that devices on or off-premise can be securely checked for any of these popular vulnerabilities. Contrary to most conventional vulnerability scanners that must be stood-up on-premise with new or existing hardware, licensing, and corporate firewall rules.

Additionally, Syxsense Secure includes Syxsense Manage, where patch management comes standard. Conventional tools fall short due to the lack of any remediation capabilities as well as rudimentary patch definitions. Once devices are checked, exportable reports can easily be emailed on set schedules so that newly-discovered vulnerabilities can easily be identified and sent to the proper parties, whether in-house or third-party.

Experience the Power of Syxsense

Syxsense has created innovative and intuitive technology that sees and knows everything. Manage and secure your environment with a simple and powerful solution.

Syxsense demo

Schedule Your Syxsense Demo

Syxsense combines IT management, patch management, and security vulnerability scanning in one powerful solution. Get started today.

Schedule My Demo
May 19, 2020
Love0
||||White Laptop with Syxsense

RDP Brute-Force Attacks Increase Since the Start of COVID-19

By BlogNo Comments

RDP Brute-Force Attacks Increase Since the Start of COVID-19

According to recent reports, the number of brute-force attacks targeting RDP endpoints has increased rapidly since the start of the COVID-19 outbreak.

The Rise of RDP Exposure

According to recent reports, the number of brute-force attacks focused on Remote Desktop Protocol (RDP) endpoints has dramatically increased since the start of the COVID-19 pandemic.

As countries implemented quarantines and stay-at-home orders, more companies started deploying RDP systems online. This resulted in a 41.5% increase in “the number of devices exposing RDP to the internet via RDP’s default TCP port 3389.”

More RDP Brute-Force Attacks

Attackers continually rely on brute-force attacks to obtain credentials that have remote desktop access. As more remote workers connected to the corporate network in recent months, the attack surface for cybercriminals became wide open.

“Since the beginning of March, the number of Bruteforce.Generic.RDP attacks has rocketed across almost the entire planet,” said Dmitry Galov at Kaspersky.

RDP endpoints have been heavily target among ransomware attackers. Notably, 2019 gave rise to the infamous BlueKeep vulnerability, which allowed attackers to remotely take control of an unpatched connected device.

That’s why it’s critical for businesses to adopt security measures to protect themselves when using RDP, as well as other potential attack vectors.

How Syxsense Combats Brute-Force Attacks

Attackers and RDP vulnerabilities are no match when you have vulnerability scanning with Syxsense on your side.

Syxsense helps you reduce the likelihood of brute-force success by knowing about weak passwords and sub-standard user account policies.

Keep your environment locked down with our Policy Compliance scripts:
  • Brute-force attacks occur when you endlessly try passwords
  • When you have at home devices in a network with other none corporate devices
  • Password set to any of the standard easily hacked passwords like “Password”
  • Passwords Unchanged: Are accounts used with unchanged passwords? Simple passed or passwords which have not been changed are a high risk
  • User Login Analytics: Has an account not been logged in within a reasonable period of time?
  • Users Never Used: Has an account never been used? Accounts which are never used are often planted for later “Zero-Day” attacks
  • Password Never Expires: Has an account been set to never expire?
  • Password Not Required: Blank passwords are the easiest to hack
  • Administrator Account in Use: Has the recommended policy of renaming the Administrator account been actioned?
  • Multiple Login Attempts: Multiple login attempts provide trace evidence of a “brute-force attack”

Experience the Power of Syxsense

Syxsense has created innovative and intuitive technology that sees and knows everything. Manage and secure your environment with a simple and powerful solution.

Syxsense demo

Schedule Your Syxsense Demo

Syxsense combines IT management, patch management, and security vulnerability scanning in one powerful solution. Get started today.

Schedule My Demo
April 30, 2020
Love0
||

Why RDP Vulnerabilities Need Your Attention

By BlogNo Comments

Why RDP Vulnerabilities Need Your Attention

With a history of security holes, Remote Desktop Protocol (RDP) is being used more than ever by remote users. How can IT departments manage the risks?

Remote Work Has Changed the IT Landscape

As more employees are forced to work from home due to COVID-19, there is a heightened need for tools and checks to ensure remote devices are properly secured.

The current situation has certainly rocked the foundation for how businesses function and how IT departments are able to respond. Not only are there endpoints and servers left on-premise that may be sitting idle, waiting for an attacker to come along, but sending massive fleets home to unknown territory and networks opens up a whole new can of worms.

How RDP Puts You at Risk

One vulnerability that has been plaguing the industry for over a decade, Remote Desktop Protocol (RDP) is being used more than ever to allow remote workers back into the corporate network.

In late March 2020, after most non-essential businesses were forced to send workers home, search engine Shodan reported a 41.5% spike in “the number of devices exposing RDP to the internet via RDP’s default TCP port 3389.”

This protocol has seen its fair share of security holes and hardship since the beginning. Most notably, 2019 gave rise to a vulnerability known as BlueKeep that could allow attackers to remotely take control of an unpatched connected device. Further, attackers continually rely on brute force attacks to attempt to obtain credentials that have remote desktop access.

If successful, the attackers can gain access to remote workstations and servers that the accounts are authorized for. Organizations need to adopt adequate security measures to proactively protect themselves when using RDP, as well as other potential attack vectors.

Preventing RDP Exploits and Vulnerabilities

How can IT departments accurately check to make sure RDP is checked, as well as other potential security holes? The answer is simple: use a vulnerability scanner.

RDP is just one piece of the puzzle—a popular one, no doubt, but there are other flaws to look out for. Backdoors, crypto mining, peer-to-peer applications, open ports, SNMP, and even the configured Windows policies. All must be checked routinely for potential misconfiguration or susceptibility. Now that employees are working from the couch with a corporate device, or even their own, the need for heightened security has never been greater.

Use Syxsense to Manage and Secure Your Environment

Syxsense Secure offers a thorough definitions library so that devices on or off-premise can be securely checked for any of these popular vulnerabilities. Contrary to most conventional vulnerability scanners that must be stood-up on-premise with new or existing hardware, licensing, and corporate firewall rules.

Additionally, Syxsense Secure includes Syxsense Manage, where patch management comes standard. Conventional tools fall short due to the lack of any remediation capabilities as well as rudimentary patch definitions. Once devices are checked, exportable reports can easily be emailed on set schedules so that newly-discovered vulnerabilities can easily be identified and sent to the proper parties, whether in-house or third-party.

Experience the Power of Syxsense

Syxsense has created innovative and intuitive technology that sees and knows everything. Manage and secure your environment with a simple and powerful solution.

Syxsense demo

Schedule Your Syxsense Demo

Syxsense combines IT management, patch management, and security vulnerability scanning in one powerful solution. Get started today.

Schedule My Demo
April 23, 2020
Love0
||

FBI Alert: RDP Exploited

By NewsNo Comments

Hope you don’t rely on RDP

The FBI and Department of Homeland Security have released a new US-CERT Alert. Alert I-092718-PSA details the ramping up of cyber attacks exploiting the Remote Desktop Protocol.

RDP is included with Windows, and with millions utilizing that operating system, the vulnerability is widespread.

The alert states “The use of RDP creates risk. Because RDP has the ability to remotely control a system entirely, usage should be closely regulated, monitored, and controlled.” If you don’t use the service, the FBI and DHS recommend you disable it and block any corresponding ports.” It’s also important to regularly monitor your remote access activity.

Why Syxsense is a secure solution to replace RDP

  • Reports can be scheduled to regularly keep you up to date on remote access activity.
  • Syxsense comes with Two-Factor Authentication, ensuring only authorized users can use the solution. This is a feature the FBI recommends for remote access products.
  • The suite comes with other tools, such as our Patch Manager. This, too, is recommended in the alert; “Apply system and software updates regularly.”
  • Communication is 2048-bit Encrypted.
  • End user access controls.
  • No Forced open ports.

RDP is quickly becoming an attacker’s favorite way to access an IT environment. Secure your devices and replace RDP with a secure Remote Control solution. Syxsense has reliable Remote Control as well as many other useful features.

It’s time to ditch RDP. Start a free trial of Syxsense.

Syxsense demo

Schedule Your Syxsense Demo

Syxsense combines IT management, patch management, and security vulnerability scanning in one powerful solution. Get started today.

Schedule My Demo
September 28, 2018
Love0
||||||

RDP Flaw: Every Windows Version Affected

By NewsNo Comments

CredSSP Flaw in RDP

Credential Security Support Provider protocol (CredSSP), a Windows protocol that interacts with features like RDP, has a critical vulnerability. The danger here is that malicious entities could manipulate RDP to gain access to user’s devices and environments, stealing sensitive and valuable data.

This previously unknown remote code execution vulnerability was reported to Microsoft in August last year, but the tech giant issued a fix for the protocol just now as part of its Patch Tuesday release—that’s almost after 7 months of reporting.

Since RDP is a feature within Windows, and one of the most popular application to perform remote access, everyone is exposed to this security threat. Literally every version of Windows, at the time of this article, contains this flaw.

Microsoft has released updates that target this issue. Even if you aren’t using RDP regularly, deploying this patch to your windows devices is critical. Because researchers believe this exploit may evolve into new ways to attack your environment, it’s also important to track the activity of remote login sessions.

Syxsense provides both predictive patch management and detailed security reports.

Protect your devices from this major RDP flaw by starting a free trial with Syxsense.

Syxsense demo

Schedule Your Syxsense Demo

Syxsense combines IT management, patch management, and security vulnerability scanning in one powerful solution. Get started today.

Schedule My Demo
March 15, 2018
Love0
|||||||

RDP: Is the ‘R’ for ‘Ransomware’?

By NewsNo Comments
[vc_single_image image=”13202″ img_size=”full”]

RDP Creates Vulnerabilities

Remote Desktop Protocol is something you’ll find on every Windows computer and widely used throughout the IT industry. But does the ‘R’ in RDP now stand for Ransomware?

As the common methods of distributing ransomware get tougher, attackers are looking for new exploits. The manipulation of RDP is coming to the forefront. Since almost every Windows computer has it, and it’s built to access devices, it may become the ideal way for ransomware to enter an environment.

Some high-profile ransomware already utilize this method, such as BitPaymer.

So, how do you protect your business from this vulnerability?

Step 1: Disable, and then replace, RDP.

Step 2: Implement a rigorous Patch Strategy.

Disabling RDP will protect your environment, but many IT departments rely on it to do their jobs. However, if you replace RDP with another remote control solution, you can disable RDP and rest easy.

Syxsense provides a secure Remote Control solution. Utilizing 2048-bit encryption, our product communicates securely between the accessing device and the target. You can also enable prompts for the user on the target to allow, or disprove, access.

Patching your devices is also critical for maintaining a secure environment. Using Syxsense, you can implement a patching strategy that keeps your devices up to date. Our Patch Manager shows you, at a glance, which devices need patching. Tasks can be set to happen on an automated schedule to work around business hours. Replace RDP with Syxsense and experience a free trial today.

[vc_single_image image=”13186″ img_size=”200×200 px” alignment=”center”]

[vc_separator css=”.vc_custom_1494871528028{padding-top: 15px !important;padding-bottom: 5px !important;}”]

Start Patching

Start a free, 14-day trial of Syxsense, which helps organizations from 50 to 10,000 endpoints monitor and manage their environment, all from just a web browser. An email will be automatically sent to the address you provide.

[dt_default_button link=”url:https%3A%2F%2Fwww.syxsense.com%2Fsyxsense-trial%2F|||” size=”big” button_alignment=”btn_center”]START FREE TRIAL[/dt_default_button]
November 16, 2017
Love0