A recent rash of malware attacks on Microsoft’s RDP calls into question current thinking in terms of battling Trojan attacks.
Editor’s Note: In an attempt to broaden our interaction with our readers we have created this Reader Forum for those with something meaningful to say to the wireless industry. We want to keep this as open as possible, but we maintain some editorial control to keep it free of commercials or attacks. Please send along submissions for this section to our editors at: dmeyer@rcrwireless.com.
Network security often seems like a game of cat and mouse – hackers bent on stealing personal and corporate information are constantly coming up with new code and variants in an attempt to get to the lucrative “cheese” of credit card numbers, passwords and other sensitive information.
A recently discovered malware, Trojan.sysscan, attacks Microsoft Remote Desktop Protocol servers. According to various accounts, a Trojan.sysscan attack begins by brute forcing passwords for RDP credentials on a target computer running Windows XP up to and including Windows Server 2012 R2. The malware is then downloaded and executed on the victim machine.
Once ensconced, the Trojan configures a hidden backdoor account, which then allows its controllers at-will access in order to scan for credentials, corporate or personal financial information, and other target data for exfiltration. Some reports have indicated the Trojan evades detection easily, which makes this malware very dangerous indeed.
It should be noted that there have also been several reports of hackers using RDP server ports to deliver ransomware payloads.
Basic defense – or not
Because RDP is very popular as a means of giving users access to their desktop PCs and corporate resources anywhere at any time, it’s important to understand and prepare against these and other threats.
Of necessity, RDP ports are typically left open 24/7/365 to allow employees to access their desktop whenever and wherever needed. To further compound the risk, the RDP servers are frequently connected directly to the internet, bypassing the security mechanisms in place for the network itself.
A number of articles on Trojan.sysscan have recommended implementing strong passwords in order to defend against this attack’s entry method: brute-force credentials hacking. While this is all well and good, a determined hacker could still break in, especially if they suspect the presence of highly lucrative data within the network.
Human factors can also come into play with this strategy; many end-users seem oblivious to the dangers of malware and it only takes one moment of carelessness to allow Trojan.sysscan in the door. Given the recent uptick in attacks, these strategies may not be enough.
Adding defensive layers
Security strategies for RDP servers must strike a delicate balance, maintaining the easy remote and mobile access that users require while strengthening protective mechanisms to keep Trojan.sysscan and other malware out.
If an enterprise-class secured socket layer virtual private network product is already in place to authenticate and control access to the network, simply placing the RDP servers behind it can provide defense in depth, adding multiple layers of security for RDP.
For example, most SSL VPN solutions include built-in multifactor authentication mechanisms or can interface with third-party multifactor authentication products. Since the authentications are tied to machine ID, randomly generated or use another such scheme, they become infinitely tougher, if not impossible, for a brute force attack to crack.
In addition, most SSL VPN products can employ a full reverse proxy to the network assets behind them, meaning the standard RDP ports are not exposed or connected directly to the public internet. They are effectively veiled from attackers’ view, further negating the threat of Trojans, ransomware and other malicious attacks.
Security vs. the user experience
It is important to note that enterprise-class SSL VPN products typically function in a manner that is almost completely transparent to the end user, other than adding just one additional step if multifactor authentication is used. The ease of use that has made RDP so widely adopted is thus maintained for the end user, while security is heightened considerably.
Another option is to eliminate RDP entirely, replacing it with an alternative remote desktop access method. Multiple options are available; most operate very similarly to Microsoft RDP with comparable ease of use for employees. While this option may carry cost in terms of both capital expense and operating expense, in the end it will remove a threat target that is becoming increasingly attractive to hackers.
Network security is always a balancing act, with IT managers negotiating the difficult path of maintaining the security of network resources and assets, while supporting user productivity through streamlined processes and enhanced ease of use. An enterprise-class SSL VPN can help navigate this path by adding multiple layers of security mechanisms while maintaining a seamless end-user experience for remote desktop access.
