On the 13 August 2019, Microsoft released a set of fixes for Remote Desktop Services, including two critical REMOTE CODE EXECUTION (RCE) vulnerabilities.
Microsoft released a statement saying “This vulnerability is pre-authentication and requires no user interaction…. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”
Remote Desktop Protocol (RDP) is often used by IT support companies to provide them with easy remote access to client servers to manage and monitor those servers, however the less well informed and less professional IT firms may well be leaving their clients open to attack.
If your IT firm uses remote access to manage your server then you should read this article.
Firstly, what is RDP?
Remote Desktop Protocol (RDP) is used to connect to other Windows systems remotely. RDP is fast and convenient and as such seems like the perfect solution for access to, or management of, remote servers.
As IT professionals, we see RDP being enabled for a number of reasons. The least secure of which is predominately used by small companies, to allow remote management of a server.
Where RDP is used for management of a server, the ‘target’ server is connected directly to the internet, often referred to as ‘Open to the internet’. When a target server is open to the internet, this allows external scans to identify your server as having the RDP port open.
Historically, before the vulnerability was discovered, the hacker used “brute force” attacks to gain entry into the businesses systems (a brute force attack is when a cyber-criminal uses software to guess hundreds or thousands of common passwords to see if they can gain access).
With this new vulnerability it is no longer necessary to brute force the password, because the attacker can now bypass the password entirely and immediately be granted access through RDP.
This will allow the attacker to infiltrate your network and use a ‘worm’ to spread ransomware, as far and to as many devices as possible.
Whether the attacker gained access from “brute force” or a successful ‘Phishing Attack’, any and all devices on your network that have RDP open are vulnerable to this attack vector.
What should you do?
Check to see if your IT Support allowed access to your server over the internet so they could manage it remotely (you can use our service beneath if you don’t want alert your IT to this).
If you ask your IT if they use RDP, then check to see if they have applied the ‘Patch’ to this vulnerability, you might want to ask when they last patched your server?
If patching is not something that your current IT offer, we can provide you with a comprehensive Patching and monitoring software that will keep track of your systems and make sure updates are installed. We keep detailed records and apply patches in line with Cyber Essentials, to help you demonstrate how you comply.
What happens if you do nothing?
By taking no action to secure your RDP, it could result in:
Someone writing a script that scans for machines on the internet with RDP enabled and using the exploit to install itself on your server.
Then after quietly installing itself on all your devices, what if the malware waited 74 hours and then encrypted your data with a password only the malware writer knows, and he decides to charge you £10,000 for that password so you can get your data back?
This is the behaviour of a threat called a worm (previously mentioned), the same type of threat as “WannaCry” one of the most infamous cyber-attacks of all time.
As scary as all of this may seem, in some cases RDP is used in a controlled and secure manner and there may be no need for concern, however if the patch hasn’t been applied, then your network is at risk.
‘WannaCry’ was able to encrypt and spread to over 230,000 computers, across 150 countries. If RDP is left exposed, it could be as catastrophic.
Why not find out if your RDP is in fact open? Just simply request a FREE Scan below.
Before requesting a scan, please make sure that you have the appropriate authorisation to permit TecSec to scan your network.