There is an old saying in the information security field that if an adversary has physical access to your computer then it is not your computer anymore. Not all remote desktop tools are built to view or. Mac computer is the local computer and the remote computer is the Windows computer.Remote desktop connection tools should be designed to be easy to use and to provide multi-monitor desktop support for Mac, Windows, and Linux operating systemsmeaning when accessing a user’s workstation, you can switch between viewing each of their monitors with the click of a button. Before we dive in, let’s begin by looking at an old maxim.Unlike most remote desktop products, Splashtops Drag-and-Drop File. Speedify is available in the Citrix Ready Marketplace.Sometimes, you have to say something about things that “go without saying” and it seems the best way to start this post is by mentioning just that, because this is not a subject I expected to have to write about in this day and age.For the adversaries, it’s just part of their job description.COM The World's Odometer Rolls Over I don't eat them. Rather, it is an unavoidable truth. This is not a particularly surprising turn of events, nor a particularly clever one. Installing devices such as hardware keyloggers, removing disk drives and copying them, and otherwise deleting, altering or adding anything they want on the system all become exponentially easier when you can walk right up to the computer.
There are many servers running various versions of Microsoft Windows server operating systems that are directly connected to the internet with what amounts to little or no practical security around who can access them. Usually, there’s some separation of the servers, whether they be in their own dedicated room, or even tucked away in some back corner that is off-limits to most personnel.Yet for all this common knowledge, the lessons learned about security in the physical world do not always transfer well (or correctly) into the internet world. Or, at least, no business that wants to remain in business allows this. These kinds of places do not put their servers at the front desk in the lobby, reception area, visitor center, waiting room or other locations where the public or, conceivably, any employee, faculty, student, or staff may enter and gain physical access to them. Businesses and schools and all sorts of organizations are not blind to this, though. Keeps Disconnecting For Windows Remote Desktop Software Preinstalled AsFrom that connection, a person can open directories, download and upload files, and run programs, just as if using the keyboard and monitor connected to that server.RDP was invented by Citrix in 1995 and sold as part of an enhanced version of Windows NT 3.51 called WinFrame. A connection to a server in this case means it could be directly to the server’s operating system, or it could be to an operating system running inside a virtual machine on that server. In a domain, computers running a Windows Client operating system, such as Windows XP or Windows 10, come with RDP client software preinstalled as part of the operating system, which allows them to connect to other computers on the network, including the organization’s server(s). What is RDP?RDP, short for Remote Desktop Protocol, allows one computer to connect to another computer over a network in order to use it remotely. erasing or overwriting old backups, if they are accessibleThis is not a complete list of all the things an attacker can do, nor is an attacker necessarily going to perform all of these activities. downloading and installing various programs onto the server disabling security software or setting up exclusions in it (which is allowed for administrators) disabling scheduled backups and shadow copies Image from sextortion email scam mentioning RDPFor more information about these types of email scams, I recommend this series of articles by my colleague Bruce P. It seems there is little honor among thieves.Knowledge around RDP attacks has reached a point that even sextortion scammers are incorporating mention of it in their ransom notes in an attempt to make their scams sound more legitimate.Figure 1. installing ransomware in order to extort money from the organization, often to be paid using cryptocurrency, such as bitcoinIn some cases, attackers might install additional remote-control software to maintain access (persistence) to compromised servers in case their RDP activities are discovered and terminated.We have not seen any servers that were compromised both to extort via ransomware and to mine cryptocurrency, but we have seen instances where a server was compromised by one attacker to mine cryptocurrency, then later compromised by other attackers who changed the coin miner so that the proceeds went to them, instead. installing coin-mining programs in order to generate cryptocurrency, such as Monero While the exact nature of what attackers will do varies greatly, two of the most common are: The attacks have reportedly been less than successful, with about 91% of vulnerable computers crashing with a stop error (aka bug check or Blue Screen of Death) when the attacker attempts to exploit the BlueKeep vulnerability. At the beginning of November, mass reports of BlueKeep exploitation became public, as noted by ZDNet and WIRED, amongst other news outlets. While no major escalations in BlueKeep activity were reported for the next couple of months, this has recently changed. However, with support for both Windows Server 2008 and Windows 7 ending in January 2020, having computers running these and being directly accessible using RDP via the internet represents a risk to your business that you should already be planning to mitigate.This does not mean that you immediately need to stop using RDP, but that you need to take additional steps to secure it as soon and as quickly as possible. This may be problematic for some businesses, because there may be some seemingly legitimate reasons for this. Defending against RDP-borne attackersSo, with all that in mind, what can you do? Well, the first thing, obviously, is to stop connecting directly to your servers over the internet using RDP. So, let’s take a look at what needs to be done. So, while not the feared wormable attack, it does appear a criminal group has automated exploitation, albeit without a high success rate.When I originally started writing this blog post, it was not my intention to go into a detailed description of the vulnerability, nor was it to provide a timeline of its exploitation: my goal was to provide readers with an understanding of what must be done to protect themselves against this threat. Disallow external connections to local machines on port 3389 (TCP/UDP) at the perimeter firewall.
0 Comments
Leave a Reply. |
Details
AuthorCindy ArchivesCategories |