In May we were already reporting about security vulnerability in Microsoft RDP (BlueKeep), which has great potential for damage. In the meantime, this vulnerability has been studied extensively by security specialists and very detailed descriptions exist. As a result of this vulnerability, Microsoft apparently audited the code for RDP and discovered other vulnerabilities (CVE-2019-1181, CVE-2019-1182) that have similar potential to cause damage. In this article, you will learn what these are and what immediate measures you should take.
Two words make hackers and security specialists sit up and take notice of the new vulnerabilities: Remote Code Execution and Pre-Auth. Why? Because the vulnerabilities can be exploited without prior authentication, and any code can be run on the target system, the security vulnerabilities can be exploited to the full. Just like in May, these gaps have potential for a worm, similar to WannaCry, NotPetya or BlueKeep. Microsoft released security patches for these vulnerabilities, so it's probably a matter of days or weeks before they are reconstructed (reverse engineering) and an exploit is available.
Because of the new loopholes in the popular Microsoft RDP service, we have put together some recommendations for you on how to use RDP:
Only run the RDP service if you absolutely need to, or better yet, disable RDP wherever it is not absolutely necessary to remotely manage systems.
Make sure that the Microsoft RDP service is not accessible from the Internet. We recommend using a firewall rule on the perimeter that blocks port 3389/TCP. In addition to the security loopholes, weak passwords on RDP services on the perimeter are often the reason for the entire company network being infected, for example with the Ransomware Ryuk or Megac0rtex.
There are now large botnets that are only searching for weak RDP passwords. If you provide customer services via RDP or have to perform remote maintenance tasks on the Internet via RDP, we strongly recommend that in addition, you secure the connection with a VPN.
If you are unable to disable RDP under any circumstances, you should enable NLA (Network Level Authentication). This provides partial protection, as the attacker can only run the malicious code following successful authentication.
Not only the systems on the perimeter represent a danger, but also all internal systems that have activated RDP. The reason for this is obvious. It can be predicted that viruses will soon use such gaps to move laterally through the network. This is why you should protect your systems as soon as possible with the patches made available by Microsoft: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1182https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1182
For systems on which RDP is enabled, use complex passwords. There are already botnets that automatically test combinations of company names, annual figures, etc. So having a weak password means that it is only a matter of time before an attacker has gained access to the systems.
The same applies here as for all security gaps – you need to respond quickly and not wait until something happens. By using RDP securely, you can protect your business more effectively from both targeted and opportunistic attacks.
A cyber attack can hit any business. Our Incident Response Retainer is the ideal solution when you need to be prepared and to act quickly, efficiently and effectively in an emergency – 24/7.
Interested? Find out more about our Incident Response Retainer here: