The COVID-19 crisis continues to mold the online world in many ways. It has prompted HBO to release 9 shows online for free, caused the delay of the widely anticipated PlayStation video game The Last of Us Part II, and has placed increased scrutiny on video conferencing tools such as Zoom. In an attempt to accommodate people working from home, due to quarantine measures implemented around the world, IT staff have been quick to provide remote access to many organization’s internal networks. As a result, security researchers have observed a 667% increase in phishing attacks since the end of February. As working from home becomes the new normal, hackers are taking full advantage of the increased online activity caused by the COVID-19 crisis. This blog will discuss two technologies that have seen an uptick in usage: The Remote Desktop Protocol (RDP) and Virtual Proxy Networks (VPNs). Both provide means for an employee at home to log into an internal network and access resources that would otherwise be inaccessible.
The RDP protocol allows an individual working remotely to log into a resource with a fully functional graphical user interface. Once logged in, a user can utilize the computer as if they were in front of the system typing commands on the keyboard. This ease of access is an attractive target for hackers, since a weak password accompanied by a lack of other security controls can allow an attacker to brute force their way in. Security researchers have been following the number of devices online that have RDP access exposed. Using a tool called Shodan, researchers have noticed a sharp increase in the number of systems with the port 3389 exposed – the default port used by RDP. This increase can be logically attributed to IT administrators granting RDP access to more workers staying at home. Despite the convenience it provides, RDP can also increase the attack surface area for a company and present a security liability; we have heard countless cases of this being the origin of devastating ransomware attacks.
Last year, researchers at the SophosLabs Offensive security team developed an exploit that took advantage of a vulnerability named BlueKeep. When this exploit is executed against unpatched Windows machines, the attacker can take full control of the system without the need for credentials or even an active session on the victim machine. Microsoft rated this vulnerability a 9.8/10 in severity and pushed the updates to operating system versions considered End-Of-Life, an action rarely completed by the software giant. This highlights the importance of ensuring that any system accessible by RDP must be updated with the latest patches.
In order to secure remote access, the following precautions should be taken:
Require Multi-factor Authentication for all users
Ensure a strong password policy is in place
Implement any missing security patches
Levearge your corporate VPN instead of exposing RDP over the internet
VPN connections are another technology that researchers have noticed an uptick in usage. With the varying protocols and ports that VPNs use, IT teams have been forced to setup VPN technologies to meet the growing need for external access. This technology allows users to setup an encryption tunnel from their home to assets within an internal company network. The security of this connection depends on the VPN provider; if the VPN server itself is compromised, then the tunnel connection will no longer be secure.
An example of this occurred in Fall of last year, when news broke out that NordVPN – a popular VPN provider – had been compromised. An investigation revealed that the cloud provider for NordVPN had maintained an insecure management protocol, allowing an attacker to compromise the cloud provider and gain access to Nord’s servers. This highlights the importance of ensuring that third-party providers are regularly audited to eliminate security vulnerabilities that are unaccounted for.
If your organization has any questions or concerns, surrounding RDP, VPN connections, or general guidance providing secure remote access, please contact us to book your free consultation to learn about how Packetlabs can help.
September 27 - Blog
InfoStealer malware plays a key role in many cyber attacks, enabling extortion and lateral movement via stolen credentials. Learn the fundamentals about InfoStealers in this article.
September 26 - Blog
Blackwood APT uses AiTM attacks that are set to target software updates. Is your organization prepared? Learn more in today's blog.
August 15 - Blog
It's official: Packetlabs is a partner and attendee of Info-Tech LIVE 2024 in Las Vegas. Learn more about event dates and registration today.