Tuesday, July 16, 2024
EHA

Hackers Conducting RDP Attacks Using New Technique to Bypass Protections

A Microsoft Windows component, RDP was designed to provide administrators, engineers, and users with remote access to systems. However, threat actors have been using the technology for nefarious purposes, and the trend continues, especially since an RDP attack is usually more difficult to detect than a backdoor. 

Threat actors continue to prefer RDP for the stability and functionality advantages over non-graphical backdoors, which can leave unwanted artifacts on a system.”

These allow attackers to establish a connection with a remote server blocked by a firewall and abuse that connection as a transport mechanism to “tunnel” local listening services through the firewall, thus rendering them accessible to the remote server. 

Network tunneling and port forwarding take advantage of firewall “pinholes” (ports not protected by the firewall that allow application access to a service on a host in the network protected by the firewall) to establish a connection with a remote server blocked by a firewall.

Once a connection has been established to the remote server through the firewall, the connection can be used as a transport mechanism to send or “tunnel” local listening services (located inside the firewall) through the firewall, making them accessible to the remote server (located outside the firewall).

One utility used to tunnel RDP sessions is PuTTY Link, or Plink, which allows attackers to establish a secure shell (SSH) network connections to other systems. With many IT environments either not inspecting protocols or not blocking SSH communications outbound from their network, attackers can use the tool to create encrypted tunnels and establish RDP connections with the command and control (C&C) server. 

How it works?

RDP attack

FIG: Enterprise firewall bypass using RDP and network tunneling with SSH as an example
RDP attack

FIG: Example of successful RDP tunnel created using Plink
RDP attack

FIG: Example of successful port forwarding from the attacker C2 server to the victim

Jump Box Pivoting

Not only RDP is the perfect tool for accessing compromised systems externally, but RDP sessions can also be daisy chained across multiple systems as a way to move laterally through an environment.

FireEye has observed threat actors using the native Windows Network Shell (netsh) command to utilize RDP port forwarding as a way to access newly discovered segmented networks reachable only through an administrative jump box.

RDP attack

For example, a threat actor could configure the jump box to listen on an arbitrary port for traffic being sent from a previously compromised system. The traffic would then be forwarded directly through the jump box to any system on the segmented network using any designated port, including the default RDP port TCP 3389,”

Prevention of RDP Tunneling

If RDP is enabled, threat actors have a way to move laterally and maintain presence in the environment through tunneling or port forwarding. To mitigate vulnerability to and detect these types of RDP attacks, organizations should focus on both host-based and network-based prevention and detection mechanisms.

  • Remote Desktop Service: Disable the remote desktop service on all end-user workstations and systems for which the service is not required for remote connectivity.
  • Host-based Firewalls: Enable host-based firewall rules that explicitly deny inbound RDP connections.
  • Local Accounts: Prevent the use of RDP using local accounts on workstations by enabling the “Deny log on through Remote Desktop Services” security setting.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.

Malicious Hackers Increasing the Exploitation of RDP Protocol to Hack the Targeted Victims

Troldesh Ransomware Spreading Via Weaponized Word Document and RDP Brute-force Attack

Website

Latest articles

New Poco RAT Weaponizing 7zip Files Using Google Drive

The hackers weaponize 7zip files to pass through security measures and deliver malware effectively.These...

New ShadowRoot Ransomware Attacking Business Via Weaponized PDF’s

X-Labs identified basic ransomware targeting Turkish businesses, delivered via PDF attachments in suspicious emails...

Hacktivist Groups Preparing for DDoS Attacks Targeting Paris Olympics

Cyble Research & Intelligence Labs (CRIL) researchers have identified a cyber threat targeting the...

Critical Cellopoint Secure Email Gateway Flaw Let Attackers Execute Arbitrary Code

A critical vulnerability has been discovered in the Cellopoint Secure Email Gateway, identified as...

Singapore Banks to Phase out OTPs for Bank Account Logins Within 3 Months

The Monetary Authority of Singapore (MAS) and The Association of Banks in Singapore (ABS)...

GuardZoo Android Malware Attacking military personnel via WhatsApp To Steal Sensitive Data

A Houthi-aligned group has been deploying Android surveillanceware called GuardZoo since October 2019 to...

ViperSoftX Weaponizing AutoIt & CLR For Stealthy PowerShell Execution

ViperSoftX is an advanced malware that has become more complicated since its recognition in...

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles