RDP Brute Force Attacks On The Rise. How To Keep Your .

2y ago
49 Views
2 Downloads
505.63 KB
5 Pages
Last View : 11d ago
Last Download : 2m ago
Upload by : Nadine Tse
Transcription

RDP brute force attacks on the rise. How to keepyour business safeBy: Omair M. - omair@iosentrix.comOmair is a Cybersecurity Executive with over 15 years of experience in security consulting, operations,research & development. Omair has experience improving the security posture of a number of Fortune500 companies, including Microsoft, Amazon, London Underground Subway System, Bank ofAmerica, VISA, Electronic Arts (EA), Prometric (ETS), Symantec, Sony, Nintendo, and MicroStrategy.His current endeavors include founding a Cybersecurity Consulting firm in the Washington DC Metroarea that specializes in the cybersecurity needs for the startups.According to the United Nations Development Programme (UNDP), the Covid-19 pandemic isthe most significant predicament that has hit us since World War Two. Since its advent,countries have been racing around the clock to slow down its spread.With the number of confirmed cases almost going through the roof, a couple of drastic measureshave been implemented to help curb the spread. Some of these steps include cutting down travel,closing schools, and other social joints, among others, to maintain social distancing.Businesses have also been closed, and employees advised to work remotely to help in the fightagainst this health crisis. For employees to work from home, companies have been forced to letthem access the company resources from home. A large number of companies are exposingworkstations through Remote Desktop Protocols (RDPs). Unfortunately, most of thesecompanies lack the right security expertise to ensure safe work from RDP workstations. Due tothe time crunch, they omit a lot of security controls that can be exploited by cybercriminals.What is RDP, and how does it Work?DP is a proprietary protocol from Microsoft that lets you connect your Windows endpointsremotely with other computers over a network. For it to work, the company will typically installthe RDP server software on their servers, and then users/employees will install RDP clients ontheir machines to connect to the company's server software.The scary downside with this technological trick is that if a malicious actor can access the users'RDP session somehow, they get the same level permissions as them. This means that they canaccess all the users' confidential data and information at will and even steal sensitive informationor abuse it.

Cybercriminals Craving for Your Employees RDP CredentialsGraph showing a number of brute force attacks since 01.02.2020 Image Credits: KasperskySince the advent of this pandemic, everybody is remote, and this translated to a massive upsurgein the number of brute force attacks targeting RDP clients. Attackers are using compromisedcredentials that are leaked over the web (credential stuffing) to try and gain malicious access tocompany RDP servers. In the first weeks of March, there was an average of 200,000 attacks perday.Fast forward to April 7th, and these numbers skyrocketed to over 1.4 million malicious attemptsper day. This form of attack works by the hackers trying to brute force RDP passwords andusername combinations until they get it right. In this search, the attackers can use just randomcharacters or refer to their extensive database of compromised passwords and usernamecombinations taken from various data breaches.How to Protect against RDP Bruteforce attack?There's always something you can do to ensure that you're safe from attacks like RDP brute forcethat rely on credential stuffing. Here are a few tips to stop attackers from maliciously accessingyour servers.

Use FirewallNote that, before launching an attack, the attacker will typically scan IP list ranges for the defaultRDP port; (Port 3389). Alternatively, they can obtain the list of RDP servers exposed over theInternet by using Open Source Intelligence Tools (OSINT) such as Shodan and Censys. For e.g.,at the time of publishing this post, there were almost 1.3 Million Remote Desktop Serversreported by Shodan in the US.Shodan shows 1.3 Million exposed RDP instances in the US.Once the attacker finds a target, they launch brute force attacks to try and gain access, which, ifsuccessful, they can proceed to compromise the system. They may infect the system withMalware, Ransomware, launch a variety of other attacks against internal systems and users, orpivot on those machines to start attacking other external targets.Although not preferred, firewalls could be used to help prevent brute force attacks by restrictingaccess to the remote desktop instances and only allow access from the whitelisted IP addresses.

Use Virtual Private Network (VPN)The VPN will allow secure access to your corporate network and ensure that the corporate assetsbehind a firewall could be accessed after proper authentication and authorization. The firewallhere ensures that even though the corporate network is exposed to the Internet, not everybody onthe Internet can access it unless they're authenticated via the VPN. Use Multi-factorAuthentication (MFA) with the VPN for added security and enforce strict password policies.Use Multi-factor Authentication (MFA)Cybercriminals notoriously use passwords to gain malicious access to servers and databases.According to Verizon, 80% of hacking incidents are due to weak, deduced, or stolen passwords.Cybercriminals are intelligently attacking the mass number of servers. For e.g., instead of bruteforcing the password, they sometimes use a technique called Password Spraying. In thistechnique, a set of common passwords is attempted against an extensive list of usernames;therefore, account lockout policies and IP banning controls are bypassed.To defend against such risks, you must employ MFA to help in verifying users before allowingaccess. It will help ensure that even if the hacker deduces or cracks the RDP passwords, theycan't gain access to the servers if they don't pass the extra security check.Implement Complex Password Policy With Frequent RotationYou should implement a strong password policy with frequent rotation across the organization,including Remote Desktop Access. These passwords should not contain user names or weakpasswords that are easily guessable. Instead, enforce a strong password policy such as aminimum of nine (9) characters in length, must contain characters from uppercase letters,lowercase letters, numerical digits, and special characters.The frequent rotation policy will minimize exposure risks and mitigate most dangers. All theseaspects will make it difficult for a malicious actor to gain access if they find or guess thecredentials correctly.Enforce Account Lockout policyJust like we've mentioned earlier in this post, Brute-force attacks typically rely on multipleguesses using different username-password combinations until the cybercriminal gets the rightcombinations. If you configure accounts to lock after a specific number of failed attempts, you'llsignificantly reduce the risks due to this kind of attack.

The account lockout policy must be configured in multiple layers (if supported by yourtechnology stack). For e.g., the account must be locked for 30 minutes after six (6) failedattempts. After three (3) lockouts, the account must be blocked permanently and should requirethe employee to contact the helpdesk for manual reactivation.Configure Remote Desktop GatewayDeploying an RDP Gateway will ensure that any Remote Desktop port access from a remoteconnection is done on just one Gateway server. With this option, therefore, you'll have to ensurethat all the Remote Desktop services running on the servers and workstations are restricted topermit access from the configured Remote Desktop Gateway only. The Remote Gateway serverhere picks the Remote Desktop requests over a secure HTTPS protocol (Port 443) whileconnecting users to Remote Desktop Services on the target computers. You can also restrict theresources that the users are permitted to use Remote Desktop Gateway.Microsoft offers an in-depth guide on how to install and configure the Remote Desktop Gatewayon server remote desktop services here. There is also a complete tutorial on how to configure theRemote Desktop settings for your clients to use the Remote Desktop Gateway.Activate Network-Level Authentication (NLA)NLA is available on Windows 10, Windows Server 2012R2/2016/2019, by default. It enhancesserver security by ensuring that users that connect to the servers complete some authenticationprocess. This will help you avoid Remote Desktop security flaws that can be exploited withoutauthentication. Unless you're connecting to RDP clients on other credentials that don't supportNLA, all your remote desktop servers should allow NLA connections automatically.Auditing and Monitoring of Server Resources and Traffic PatternsIf you audit and monitor the server resources and traffic patterns regularly, or with the help of athird-party logistics cybersecurity firm, it will be easy to spot suspicious behavior like abnormalserver activities that could signal red flags for a potential breach. Being able to detect theseactivities early is crucial. It will help you single out sources of the suspicious traffic patterns soyou can respond swiftly and avert the breach by blocking the sources to fix the security flaw.In ClosingUltimately, the stay at home orders will be lifted, and we'll be able to resume businesses as usual.Before then, we shouldn't make cybercriminals work easy by leaving our ports and servers open.These security tips should help you beef up your server and Remote Desktop Protocol's securitylandscapes.

RDP brute force attacks on the rise. How to keep your business safe By: Omair M. - omair@iosentrix.com Omair is a Cybersecurity Executive with over 1

Related Documents:

Jul 09, 2020 · yj41091 yellow handle w/screw for brute ii *686800410913* yj41092 blue handle w/screw for brute ii *686800410920* yj41094 red handle w/screw for brute ii *686800410944* yj41096 retaining nut for valve piston brute ii *686800410968* yj41103 valve piston for brute ii *686800411033* yj41106 feed s

injection) Code injection attacks: also known as "code poisoning attacks" examples: Cookie poisoning attacks HTML injection attacks File injection attacks Server pages injection attacks (e.g. ASP, PHP) Script injection (e.g. cross-site scripting) attacks Shell injection attacks SQL injection attacks XML poisoning attacks

CSC 8301-Design and Analysis of Algorithms Lecture 4 Brute Force, Exhaustive Search, Graph Traversal Algorithms Brute-Force Approach Brute forceis a straightforward approach to solving a problem, usually directly based on the problem’s statement and definitions of the concepts involved. E

Since WPA2 is commonly used, there are several publications and projects deal-ing with WPA2 security and brute force attacks in particular. For instance in [11], Visan covers typical CPU and GPU accelerated password recovery ap-proaches with state-o

the factory intake to the new RDP intake. Then install the intake support hand tight. Step 11: Install the RDP Cold Air Intake into the vehicle with the remaining hose clamp. Connect the PCV silicone tube to the intake, and reconnect the MAF sensor. Note: The silicone P

Click on your preferred settings and type in your username. Click the Generate RDP File for Connection button. A file will download called an RDP file, click on the RDP file to open it: A window like this will open, click Connect: Another window will open, type in your Mosaic password.

For replacement parts see page 46. YELLOW JACKET BRUTE II 4-Valve Test & Charging Manifold - F New Vac. Hi, Lo Gauge Hoses Discontinued UPC# Port Charge BRUTE UPC # BRUTE II4-VALVE with

Rating according to ASTM E 989 - 06 Impact Insulation Class IIC c: 51 dB Improvement of Impact Insulation Class ΔIIC: 23 dB Evaluation based on laboratory measurement results obtained in one-third-octave bands by an engineering method No.of test report: SONI107 Name of test institute: eco-scan bvba Date: Signature: Volker Spessart 28-Nov-18 L n, ref, c f L n,ref,c (*) 1/3 octave bands : 28 .