How Attackers Exploit the Remote Desktop Protocol – Security Intelligence

Young business woman working at the computer in cafe on the rock. Young girl downshifter working at a laptop at sunset or sunrise on the top of the mountain to the sea working day ProxyEgg How Attackers Exploit the Remote Desktop Protocol - Security Intelligence

How Attackers Exploit the Remote Desktop Protocol

The Remote Desktop Protocol (RDP) is one of the most popular communication protocols for remotely controlling systems. RDP comes with all current Windows operating systems, and its graphical user interface makes it an easy-to-use remote access tool. In addition, Microsoft positions it as the default method to manage Azure virtual machines running Windows.
It didn’t take long before attackers realized this is a golden egg. Instead of attempting to abuse a vulnerability with no guaranteed success, they realized it’s far more efficient to use the remote access tools there for the taking. They just need to obtain the correct credentials to gain access. As it happens, according to a recent X-Force report, stolen credentials to access these systems are part of a lucrative market on the dark web.

These directly exposed servers are not the only systems where attackers use (or rather abuse) RDP. One of their objectives is to blend in with regular traffic. Because RDP is such a popular protocol, attackers use it to move to other systems once they gained access.

What Is RDP and Who Uses It?

Before we jump to RDP risks and defenses, it’s good to know how it works. RDP is a two-way communication protocol. It can:

This process is asymmetric. While most of the data comes from the server to the client, the client transfers little data back. The client and the server have to go through a number of phases before setting up communication. After a client starts the connection, it agrees with the server on usage settings (for example, screen resolution), supported capabilities and license information. They then agree on the type of RDP security, choosing from two supported modes:

  • Standard, based on RC4
  • Enhanced, where RDP relies on other protocols such as TLS or CredSSP.

Finally, they have to agree on the number of channels required. Channels are individual data streams, each with their own ID, that make up the remote desktop protocol. Such channels can redirect access to the file system or enable clipboard sharing between client and server.

Vulnerabilities in RDP: BlueKeep

Researchers in 2019 found a crucial vulnerability, dubbed BlueKeep, in this concept of channels. Exploiting the vulnerability (CVE-2019-0708) leads to the remote execution of random code, without any user doing anything. On top of that, it did not require valid credentials. These facts combined could have led to a worm, malware that can propagate itself between vulnerable systems. We witnessed something like this earlier with the WannaCry malware.

To exploit the vulnerability, the client had to request a specific channel name, MS_T120, and then bind it to a channel ID other than 31.

What’s notable about BlueKeep is it attached itself to older Windows systems. This forced Microsoft to take the odd step of making new patches for systems it no longer supported.

Other Luring Vulnerabilities

In August 2019, researchers announced DejaBlue. DejaBlue is not one vulnerability but a list of flaws that, similar to BlueKeep, allow attackers to hijack vulnerable systems without any form of authentication. Unlike BlueKeep, the vulnerabilities of DejaBlue were located in more recent versions of Windows.

Sometimes, attackers do not need to abuse vulnerabilities. They can simply abuse misconfigurations. Some of the common pitfalls with RDP security include:

  • Weak user sign-in credentials
  • Servers where you’re not logging or monitoring RDP logins. These systems allow attackers to attempt brute-force or password spraying attacks at will.
  • Publicly exposed systems without any network filtering.

APT Groups Using RDP

We can also look at MITRE ATT&CK to understand the interest of attackers in RDP and how it is used in their operations.

  • Groups such as APT41, FIN6 and FIN7 use RDP to move laterally
  • Groups such as FLIPSIDE use RDP to exfiltrate information. Ngrok, for example, is a legitimate reverse proxy that can tunnel traffic in RDP to exfiltrate victim data.
  • The WannaCry malware could execute malware in existing remote desktop sessions. This ‘stealing‘ of a session is commonly referred to as RDP hijacking. 


Despite these risks and the interest of attackers, RDP still has a lot of value to offer. There are a number of key elements to consider to protect remote desktop servers.

Patch management is a dead give-away. Keeping your systems up-to-date is always good advice, especially for crucial remote access services.

In most cases, you don’t need to expose RDP to the whole world. You can use a firewall, IP restrictions, limit access via a VPN or use just-in-time-access. The latter greatly reduces the risk and still lets you access the service when you need it.

Ensure that you do not use easy-to-guess passwords for RDP-enabled accounts. Don’t allow remote access to all system users if they don’t need it. In addition, it makes sense to implement some form of automatic account lock-out, preventing attackers from guessing the password via brute-forcing.

You may also want to enable Network Level Authentication or NLA, a mitigation measure to prevent unwanted access to the RDP tunnel.

Monitoring and Forensic Artifacts

Regardless of how secure you make the RDP setup, there will always be a time when attackers attempt to abuse it. That’s when you should rely on logging and monitoring to analyze what is going on. Some of the important sources of forensic artifacts for RDP include:

  • The commands quser, qwinsta and qprocess that give information on RDP users, sessions and processes
  • Microsoft-Windows-Terminal-Services-RemoteConnectionManager and Windows-TerminalServices-LocalSessionManager inform you on client network connections and the start and stop of RDP sessions
  • And finally, Microsoft-Windows-Security-Auditing includes the events for successful or failed authentication attempts.

Manage RDP Risks for Safe Use 

Although there are risks that come with RDP and high interest from attackers in remote access tools, it doesn’t mean you cannot deploy them in a safe and controlled manner. If you take into account the preventive measures and set up sufficient logging and monitoring, you should be good to go.

Koen Van Impe

Security Analyst

Koen Van Impe is a security analyst who worked at the Belgian national
CSIRT and is now an independent security researcher. He has a twitter feed (@cudes…
read more

Source of this news:

Related posts:

How To Block Twitch Ads: WORKING (2022) - WhatIfGaming
Ads are a core part of any free-streaming service. Everyone has to make money in some way, right? But the annoying part of Twitch is that you have no way to skip ads. You can buy Twitch subs, but it ...
How To Fix It "Unable To Access Online Services" On Warzone - Tech News Today
Are you tired of getting the “Warzone unable to access online services” error while trying to play Call of Duty- Warzone? It can feel bothersome when you get this error, even during your stable inter...
Mandiant: SolarWinds Attackers Continue to Innovate -
Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime , Governance & Risk Management Suspected Russian Group Hitting Cloud, Managed Service Providers Prajeet Nair (@prajeetsp...
How to use Residential Proxies for Web-based Scraping - IMC Conjunto
The online world is a treasure of data sitting to be explored. This info can help you create excellent data-driven marketing strategies due to the recent encroachment in data analytics routine. Seve...
Beware the low-cost proxy - TechRadar
In the last few years, residential proxy networks have become an essential tool for business operations across many sectors. However, I will not be telling you about all the benefits of this practice...
More women than ever are starting careers in science -
NEWS 05 August 2021 But a study of the publications of millions of researchers also suggests that women are less likely to continue their academic careers than their male counterparts. Katha...
Form 425 Broadscale Acquisition Filed by: Broadscale Acquisition Corp. -
News and research before you hear about it on CNBC and others. Claim your 1-week free trial to StreetInsider Premium here. UNITED STATES SECURITIES AND EXCHANGE COMMISSION Washington, D.C. 20549 ...
Fortnite Hackers Earn $1 Million A Year—Stealing Your Skins - Forbes
Some Fortnite hackers are now making $1 million a year SOPA Images/LightRocket via Getty Images Fortnite has been in the news a lot of late, what with Epic Games taking legal action against Appl...
Which one is better for gaming? Residential Proxies or Datacentre Proxies? - FULLSYNC
How frustrating is it that we can’t play a game because we don’t live in a specific zip code, state, or country? Why should that matter when all we want to do is enjoy the game? Or, what if you unkno...
Shotcut 21.08.29 - Neowin
Shotcut is a free, open source, cross-platform video editor for Windows, Mac and Linux. Major features include support for a wide range of formats; no import required meaning native timeline editing...
The best way to Change IP Address on Apple macbook - BollyInside
This tutorial is about and the How To Change IP Address when MacBook. We will try our best therefore you understand this guide. I hope you enjoy this blog How To Change IP Address at MacBook ....
Guys: What we do... - The Perform Online
“I was exposed to cybersecurity back when I was in Overall look One. My father was a co-owner of a cybercafé in my hometown, Temerloh, Pahang, and this is where it all started. Numerous, Internet...
How to Watch the Olympics (With a VPN): Live Stream Tokyo Games 2021 - Cloudwards
Although a year late, the anachronistically named Tokyo 2020 Olympics are finally here. They’re the fourth Olympic Games held in Japan, but only the second Summer Olympics after Tokyo 1964. A lot of...
Fortnite game hackers earning covering Rs 8. 7 crore a year - Sify Data
"The dark-colored market for the buying and selling with stolen Fortnite accounts is one of the expansive, and also the most lucrative, alone according to a new report at the hands of Night Lion ...
The best ways to Hide your IP Address? exactly why IWMBuzz
Some sort of IP address has a string of amount . And these numbers are assigned to machines that log into the internet. Curiously, your location and internet exercises can be determined by any...
How to watch Amazon Prime Video shows in Zim the right way - Technology Zimbabwe
Here is a little known fact, Amazon Prime has been available to Zimbabweans for years! Just like Showmax they even have a mobile-only plan that’s dirt cheap and sells for below $1.99, although that’s...
Study shows Omicron less severe than Delta among COVID-19 hospitalized patients - News-Medical.Net
New research posted to the medRxiv* preprint server suggests the Omicron variant produces less severe COVID-19 symptoms than earlier severe acute respiratory syndrome coronavirus 2 (SARS-CoV-2) varia...
God of War Could Be Coming To PC Soon, Reveals Leak - Gaming INTEL
You heard it right – Kratos and Atreus might finally be coming to PC if this new God of War leak is correct. 2018’s God of War was one of the best games of the last console generation but, because of...

IP Rotating Proxy Onsale


First month free with coupon code FREE30