What is Virtual Private Networking?
A Virtual Private Network (VPN) is a remote access tool used by most organizations to allow employees, vendors/partners and other stakeholders access to their company’s corporate networks and resources. When configured and deployed correctly, a VPN can help ensure that access is secure. However, Cypfer has observed that in many cases VPN technologies are deployed in a manner that may increase risk to an organization by opening a doorway for cyber-attackers to exploit.
What is Remote Desktop Protocol or Gateway?
Remote Desktop Protocol (RDP) or Remote Desktop Gateway (RDG) is a technology that allows users to connect from their remote system to a computer within the corporate network that is running the RDP/RDG service (application). This allows access to a graphical user interface that mimics the functionality of a desktop computer.
Many organizations utilize this technology to allow their employees remote access to corporate resources including files, applications and databases. At its simplest configuration, the technology may provide limited security beyond login and password requirements. In turn, this technology configuration has proven to be a favorite attack target for threat actors.
Based on Cypfer’s experience in handling numerous cyber security incidents involving VPN and RDP/RDG as the criminal’s entry point, this article will discuss and highlight some of the common issues with the technology.
RDP/RDG and VPNs are everywhere
Most organizations have implemented VPNs and/or enabled RDP for remote access from the internet. Due to the recent pandemic pressure of COVID-19, organizations were forced to allow employees to work from home. The rapid deployment of remote access technologies meant that in many instances, functionality took priority over security. Threat actors realized early on that weak security controls, in addition to new working conditions, presented an enticing opportunity to attack organizations
Out of the box configuration is weak
The configuration of RDP/RDG or VPN on most operating systems is a relatively simple endeavor that can be accomplished by most users following simple instructions. When COVID-19 occurred, many users took it upon themselves to enable RDP to their office computer often without help from an IT professional. Many SMB organizations have limited resources when it comes to IT support, for this reason, they often provide their users with privileged access to their own desktops. Users are left to configure their own devices and remote access technologies, often opting for ‘out of the box’ implementation, resulting in a focus on functionality that can lack security controls. For example, if these technologies are not already running on a system, they can normally be turned on with just a few clicks of the mouse.
A crucial misstep is allowing these systems to be made visible through directly exposing them to the internet. Once directly exposed, the system is not only reachable from the internet but also easily discoverable. Threat actors know this and are continuously “prowling” for new systems to become “alive” on the internet. If a system has RDP/RDG/VPN enabled and is reachable from the internet, it can become a target almost immediately. Cypfer has found that a system exposing one of these technologies can become the target of a brute force password attack within less than 10 minutes after it goes live on the Internet.
Systems running remote access software are always “listening” for a virtual knock on the door, as this is their core functionality. Simultaneously, threat actors utilize automated systems that basically knock on every door they can, hoping to find a positive response. Threat actors apply these tools for their own nefarious purposes.
Through the default configuration, these remote access systems provide a screen/challenge for a login and password. Unfortunately, that screen indicates to a would-be attacker that this system hosts a remote access service that they can attempt to compromise.
Often when a threat actor finds remote access to a system, they begin brute force or dictionary attacks (an attack using words from a predefined dictionary). In many cases these attacks go unnoticed and continue for hours or days until the threat actors find a combination that allows them to login to the system. With the correct username and password combination, a legitimate remote user (or threat actor that cracked the login/password) will have the same level of access and capabilities as if they were seated in front of the on-premise computer.
Outdated remote access software
Remote access software are, at their very core, just software. That software is reliant upon components and services being offered by the operating system and while the process to enable them is quite simple, the applications themselves are quite complex. Unfortunately, these applications may also contain bugs and security vulnerabilities that the bad guys can use to their advantage.
As applications age the threat actors continuously look for vulnerabilities. Time is often on their side, because in many cases, users tend to install the software and then leave it alone. After all, why mess around with something that appears to be working? This approach to managing remote access risk is actually very unsafe and can result in a devastating compromise to systems and data.
If we were to use an analogy, imagine that burglars identified a big mansion as a potential target for an attack. They might sit around in a car, looking for signs of security guards, traffic going in/out of the mansion, and they might even approach the door, knock a few times and observe if anyone notices the activity. If they receive no response day or night and notice that the lock on the door appears to be old and uses a very simple key, an attack is likely imminent.
This is very similar to how threat actors would approach a cyber-attack on an organization. An outdated remote access application is typically very vulnerable and easy to compromise even without login credentials. One other thing to remember, is that an attack on a “digital door” is far easier than a physical door and the risk of getting caught is extremely low.
As a final example, RDP/RDG technology in particular can be fraught with vulnerabilities. Several significant issues have surfaced in recent years that resulted in virtual waves of attacks against systems. Some of these vulnerabilities even allow for the remote execution of code, software or programs and result in threat actors to gaining full access and control of the system.
Over the past two decades, countless vulnerabilities have been identified with RDP and RDG, including several critical ones this year alone. While patches are quickly made available by vendors, the reality is that many organizations have competing priorities and these patch deployments often get postponed creating an opportunity for the threat actors to attack.
How to secure Remote Access?
Layering security controls introduces complexities for threat actors, and it might just be the difference between becoming a victim or not. That means with every recommended hardening technique or an additional security control put in place your organization can move away from being the most vulnerable target. In many cases, vulnerabilities in software applications, especially critical ones, may become harder to exploit as the configuration of the service begins to move away from the generic default to a more customized configuration. It is important to note that there is no 100% secure approach, but the closer we strive to reach 100% the more difficult a target your organization can become.
Some of the techniques to harden remote access may include the use of both VPN and RDP together (using a different authentication mechanisms), implementation of multi-factor authentication (MFA), restriction on which accounts may use remote access, during what times, with what password strength, and internal operating system controls that manage passwords and authentication processes.
If an organization does not implement anything but the defaults of a login and password, there is a high likeliness that there may be a successful attack which could result in encryption and exfiltration of data and a likely demand for payment.
Besides the immediate impact to operations and their bottom-line, organization are left to manage such events with potential impacts to brand, customer data, regulatory compliance and notification requirements.
What are your risks?
Historically, small businesses were under the impression that they are small and as such, insignificant to threat actors. The truth is far from that. It is not just about how important the business data is to the threat actor, but also how much the owner of the business would pay to get their data back. In many instances, these amounts have significantly increased, and, in some cases, the demands are so significant that a business may not survive an attack on their own.
In recent months we have witnessed an increase in the number and severity of cyber-attacks. The increase in cyber security incidents and threat actors has also created a competitive landscape where threat actors may be competing against each other. Cypfer has seen a number of cases where an organization was attacked by two or more criminal groups at the same time!
Finally, some of the recent vulnerabilities found in remote access technologies and the continued improvements to the tools available for threat actors to utilize in exploits, means that the required sophistication of a would-be attacker has decreased, thereby giving even more cyber-criminals an opportunity to do damage.
Based on Cytelligence’s experience, in almost 60% of incidents, the initial attack vector was through an exploitation of a remote access system. As such, these systems represent a significant risk reduction opportunity if appropriate controls and configuration are applied.
Mitigating the risk
Some of the most effective ways to potentially reduce the risks associated with remote access systems are also some of the simplest:
- Disable remote access technologies if not absolutely required for the business.
- Restrict remote access to only the users that require such access and restrict access to only the services/systems that such users may require.
- Use current versions of operating systems and regularly update and patch. Critical patches should be applied to remote access systems within 3-7 days. Remember: threat actors do not care about any explanations.
- Enforce a strong password policy with regular password changes. Strong password policy means both strength of the password but also complexity, lock-out policies and similar settings.
- Restrict and segment remote access services based on data classification.
- Use a VPN with MFA if you do use RDP.
- Where possible use multiple account login credentials as opposed to configuring all layers to authenticate via the same active directory.
Cypfer offers an assessment service to assess your external posture for any misconfigurations and can provide a rapid health-check for your organization. We are here to help support organizations in their risk reduction journey and to educate companies on the potential impact a cyber event can have.