Why Using VPN to Secure RDP Will Not Stop Hackers
Wondering how to increase RDP (Remote Desktop) security? Let me tell you how hackers most often hack RDPs and why VPN won’t change anything about it. So how does one makes sure that RDP security is sufficient?
The amount of hacked companies is growing
Ransomware got a lot of media attention in the Czech Republic in the past few months (thanks to Benesov hospital and OKD). Anyone outside the IT industry might mistakenly believe that other companies will no longer be encrypted. Everyone was informed about the threat and their networks were secured. Problem solved!
However, the reality is that the amount of companies that have lost their data, including backups, is increasing (at least we hear more from them). How is it possible?
Security must be built up
The point is that security cannot be solved simply by buying one box, changing several settings, or some overtime.
Businesses have usually been neglecting security for years. During that time, they have accumulated a “technological debt” and it cannot be removed by a gentle “scuff”. It’s the same thing as with a sedentary job, back pain will not go away with the first visit to the gym („personal experience“☺).
It’s not easy to find someone to help properly secure your network. Websites often state that every IT company provides “IT security” services, but the reality often looks more like “paper patience”. Especially for non-IT managers, it can be difficult to judge who can really help the company, and who just wants “to bill” (I recommend the following article, „How Hackers Attack Companies Through Their IT Providers“ if you haven’t read it already).
RDP is always at fault
Remote Desktop (RDP) is used by many companies to enable employees to work from home. It is also used by many network administrators (including us) to remotely manage servers. As the purpose of Remote Desktop is to enable “remote” work, this service is often available directly via the Internet. So both legitimate users and hackers can connect.
We have observed over the past few years, that most successful businesses attacks (and data encryption) have been carried out through the remote desktop. For this very reason, many people have begun to “fight” against RDP available directly from the Internet. The recommended solution is to hide everything behind a VPN. Those who still leave their RDPs available directly from the Internet are often labeled as incompetent. ☺
You probably already know that my view might be slightly different. In my opinion, the problem is not in the RDP itself, but in the careless attitude of IT administrators. I do not mean all IT administrators, rather only those who are slacking. If administrators do not change their attitude, VPN won’t solve anything and businesses will continue to be broken into.
How hackers break into RDP (remote desktop)
Hacking is a kind of mystery for people outside the industry. I apologize if I clarify the mystery part now.
The fact is: all remote desktop hacks (up to the second half of 2019) were done in such a way that hackers got the victim’s credentials and signed into the remote desktop as would the user do!
These companies were not hacked because they had remote desktop available, but because they had sloppy IT administrators.
We can blame Remote Desktop only for enabling IT administrators to:
- use weak (short / dictionary) passwords,
- turn off account lockout
- use familiar user names (eg administrator, printer, scanner, support)
- not to use 2FA
- disable network authentication (NLA)
- use untrusted certificates.
You may be wondering how the attackers got the credentials. Sometimes they find them on the Internet – in password leaks from other services. Users occasionally type them on infected computers. In the vast majority, passwords are guessed with a dictionary attack. Their botnets were just carefully trying out the password by password for a couple of days. As administrators are not tracking these login attempts, they have not taken any action.
Why VPN won’t change a thing
We are getting close to the whole idea behind the article. Since technology is not the weak point, its replacement will not help either. i.e. if I replace RDP with VPN (which I will use to connect to RDP), the network will not be more secure, because:
- users will still be using the same weak passwords (VPN will probably be bound directly to AD)
- passwords will be entered on untrusted devices (home/foreign computers),
- attackers will still be able to guess passwords (because VPN is available from all over the world).
The only way to a secure corporate network is to do things properly and be interested in your field.
The reason why remote desktop attacks are trending is a huge number of users (at least 5 million servers according to shodan.io), and at the same time, there are free hacking tools available on the Internet (especially for password guessing).
As more users get to use VPN, attackers will shift as well. In fact, they are using VPN to hack businesses even now, see the next chapter. I wrote an article discussing what attackers can do „What Hackers Can Do In Your Network“.
But what about bugs and exploits?
You will remember BlueKeep and DejaBlue critical errors, which were found last year in the RDP implementation. Thanks to them, it was possible to gain complete control over any Windows-based device that had Remote Desktop enabled.
Maybe that’s why one might think it’s good to have a device in a way – like a VPN. This would theoretically not allow direct access to servers and even if there is an error in the app, attackers will not be able to exploit it.
But the issue is that even these devices have their bugs. Few researchers found critical vulnerabilities just this year in VPN producers: Palo Alto, FortiNet and Pulse Secure (Attacking SSL VPN). These vulnerabilities allowed to:
- gain router control,
- obtain user names and passwords of users logged into the VPN,
- control client computers (those that were logged into VPN).
All these bugs were made public when corrective patches have already existed. However, many companies (including Twitter and Uber) have not updated in time. In fact, some companies have not patched to this day and are being hacked exploiting these critical bugs. („The US DHS CISA agency is warning organizations that threat actors continue to exploit the CVE-2019-11510 Pulse Secure VPN vulnerability“).
In general, all publicly available services (the so-called “internet facing” services) are a potential problem and need to be looked after carefully. For example, critical vulnerabilities (allowing anyone to control the device) have been found recently in:
- Citrix Application Delivery Controller (ADC) and Gateway (CVE-2019-19781)
- RDP Gateway (CVE-2020-0609 a CBE-2020-0610)
- OpenSMTPD (CVE-2020-7247)
There have been so many bugs lately that hackers are unable to hack all vulnerable companies. So they began to put backdoors into vulnerable networks so that they could return in the future (even if the company patches the vulnerability) and encrypt the data. Sometimes it was so ironic that they have “fixed” the bug themselves. This is to prevent another hacker group from abusing it („Hackers are racing to exploit a Citrix bug that the company hasn’t patched yet“).
How to increase RDP (remote desktop) security
So how to secure RDP (including VPN and other publicly available services) to be properly secured? The tips and technologies that we use or have used are listed below:
- Use multi-factor authentication – this will prevent attackers from signing in to your service with credentials only. Then follow with instructing users to report receiving a 2FA push notification in case they are not logging in somewhere (this will reveal the leak). At the same time, 2FA must apply to all users, without exceptions (especially for administrators, those accounts are even more important than regular ones). The technologies that have proved their worth are ESET Secure Auth or Azure MFA.
- Block those unable to log in – it’s good to have an idea of who is trying to sign in to the system and whether someone is trying to guess your credentials(we are doing so with our monitoring system). It’s even better is to block them directly. You can use tools such as RDPGuard, or Cyberarms.
- Limit service availability – all you often need is to be able to access the service from a few public IP addresses or a few countries. RDP rarely needs to be available from around the world.☺ It’s a bit of “security by obscurity,” but it is quick to set up (many routers can do so by “geo-blocking”) and can radically reduce unwanted traffic. Disappearing from several databases like Shodan is a positive side effect.
- Be informed – our industry is developing at an incredible rate and it’s hard to know everything. Try to follow just a few internet sources, such as bleepingcomputer.com or thehackernews.com or at least, subscribe to the weekly newsletter on new vulnerabilities at https://www.us-cert.gov/ncas/bulletins (or even my blog). And of equal importance – use the information. When a bug is revealed – patch. When attackers learn to overcome a certain defensive element – adjust the defensive strategy.
VPN and RDP are not the only way to penetrate the defense
We discussed the VPN and RDP throughout the article as if it was the only way to hack the company. It would be a mistake to think so. Attackers can breach into the business through fake mail addresses (phishing), vulnerable browsers (recently discovered 0-day critical bugs in IE, FireFox and Chrome).
However, all these paths have one thing in common. Once the attacker finds himself inside the internal network, he usually has limited rights (like a regular user) and has to obtain higher-level rights. This needs to be done to be able to delete backups and encrypt data across the network.
It is the escalation of rights that the attackers are very good at (they are usually done within an hour) and the company defense is at this point far behind. The administrators I get to meet are oftentimes doing their best to protect the external perimeter (ie the Internet-internal network interface) and they have no time left for the rest.
The defense must be comprehensive! I like the simplified analogy to
a city defense system. There were mostly outer walls with a moat (the Internet – internal network interface protection), inner walls (internal network segmentation), a limited entry points (VPN, geo-blocking), guards checking identity (authentication, authorization – ideally 2FA), and watchtowers looking out to spot the danger or in case there was something wrong inside the city (monitoring system).
If you want some tips on internal segmentation, check out the article „Network Security: TIer Model and PAW“ (how we do the internal segmentation) and „IT Security: Life Cycle“ (discussing why security is not only about restrictions).
How are the hackers doing
I think that hackers have never been doing as well as they are now. From our experience, the usual ransom price paid by medium-sized companies in the Czech Republic is in the magnitude of hundreds of thousands (an increase of hundreds of percent in recent years). In the case of corporations, the ransom is even higher. For example, Maastricht University in the Netherlands paid a ransom of about 5,000,000 CZK in December 2019 („Ransomware attack: Maastricht University pays out $220,000 to cybercrooks“).
Unsurprisingly, hackers with such funding are constantly improving and professionalizing. We can observe this in the attacks we are dealing with. I wrote articles detailing how we dealt with ransomware with our customers a few years ago:
- Ransomware 1: Data Recovery or a Blessing in Disguise
- Ransomware 2: To Pay The Ransom For Encrypted Data
I had no idea back then, that just a few years, I would be writing articles on how customers’ networks are getting hacked manually and backups are being destroyed („What Hackers Can Do In Your Network“), blackmail by publishing stolen data („Hackers Came Up With a New Trick. They Learned to Improve Their Blackmailing with Ransomware“) and abuse their providers to attack businesses („How Hackers Attack Companies Through Their IT Providers“).
How to defend your network
It is necessary to keep up with the attackers, better to be one step ahead. However, its easier said than done. To make the network safe, we must not make a single mistake. Meanwhile, hackers only need a single mistake to break into the network.
I think that cooperation is a way to go. The knowledge required is so enormous that it is not within one´s abilities to encompass oneself. Those who can do so just confirm the rule, and there are not enough of them to help even a fraction of companies. We, however, can defend our corporate networks together. I believe so and that’s why I write this blog.☺
Discussion