On the 13 August 2019, Microsoft released a set of fixes for Remote Desktop Services, including two critical REMOTE CODE EXECUTION (RCE) vulnerabilities.
Catchily named CVE-2019-1181 and CVE-2019-1182 these exploits allow access through remote desktop, in essence bypassing that secure password you set.
Microsoft released a statement saying “This vulnerability is pre-authentication and requires no user interaction…. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”
Remote Desktop Protocol (RDP) is often used by IT support companies to provide them with easy remote access to client servers to manage and monitor those servers, however the less well informed and less professional IT firms may well be leaving their clients open to attack.
If your IT firm uses remote access to manage your server then you should read this article.
Firstly, what is RDP?
Remote Desktop Protocol (RDP) is used to connect to other Windows systems remotely. RDP is fast and convenient and as such seems like the perfect solution for access to, or management of, remote servers.
As IT professionals, we see RDP being enabled for a number of reasons. The least secure of which is predominately used by small companies, to allow remote management of a server.
Where RDP is used for management of a server, the ‘target’ server is connected directly to the internet, often referred to as ‘Open to the internet’. When a target server is open to the internet, this allows external scans to identify your server as having the RDP port open.
Historically, before the vulnerability was discovered, the hacker used “brute force” attacks to gain entry into the businesses systems (a brute force attack is when a cyber-criminal uses software to guess hundreds or thousands of common passwords to see if they can gain access).
With this new vulnerability it is no longer necessary to brute force the password, because the attacker can now bypass the password entirely and immediately be granted access through RDP.
This will allow the attacker to infiltrate your network and use a ‘worm’ to spread ransomware, as far and to as many devices as possible.
Whether the attacker gained access from “brute force” or a successful ‘Phishing Attack’, any and all devices on your network that have RDP open are vulnerable to this attack vector.