Remote Desktop Protocol Users have Highest Risk of Ransomware Attacks

As more schools and businesses find themselves going online, Remote Desktop Protocol (RDP) users are more vulnerable than ever to a ransomware attack. Learn more about the latest threat from Drovorub malware, and what organizations can do to protect themselves.

Businesses, government organizations, and educational institutions found themselves navigating new challenges as they worked to provide remote access to an unprecedented number of workers. Many turned to Remote Desktop Protocol (RDP) so users could remote into their office devices to access company systems. RDP’s popularity endures because there are clients available for most popular operating systems, including Windows, Linux, Unix, Android, and macOS.

Understanding RDP Vulnerabilities

One continuing problem with using RDP is that many organizations fail to ensure that proper security is in place. That leaves hackers with a potential entry point into company systems once they obtain the RDP login credentials needed for access. The credentials could then be sold to others on the dark web, putting many companies and institutions at risk for ongoing cyberattacks.

Earlier versions of RDP also have a vulnerability in the encryption method used on platforms like Windows Server 2008 and Windows XP. While Microsoft issued a legacy patch to repair the issue, any organization using RDP while still running legacy Windows software are at additional risk for a cyberattack. This may be a concern for those running an older Linux OS alongside Windows. There’s more information about the vulnerability of older versions of Windows OS and RDP available here.

The Drovorub Threat to RDP Users

A recent alert sent from both the National Security Agency (NSA) and the Federal Bureau of Investigation (FBI) about the threat presented from an insidious malware called Drovorub, with the origins traced back to GRU Russian intelligence.

The malware consists of four main components:

• Client — Receives commands from the remote Drovorub server and transfers files to and from the target endpoint.
• Kernel Module — Functions as a rootkit that comes packaged with the client. It hides the malware and other artifacts like network ports, sessions, and files from detection within the user’s space.
• Agent — Gets installed on hosts accessible via the internet or other infrastructure controlled by a hacker. The executable receives commands sent from the Drovorub server and is primarily responsible for uploading and downloading files from the Drovorub client and forwarding network traffic through port relays.
• Server — Provides control of the agent and client to hackers using a MySQL database to hold data needed for component registration, authentication, and tasks.

Drovorub hides itself in systems while hackers take control of system functions. They may plant other malicious components or manipulate a company’s network settings, all without needing to be on the same continent. Hackers often target internet devices connected via RDP to exploit the port vulnerabilities.

Securing RDP Against Drovorub

Locating Drovorub malware on a large scale can be a complex undertaking. It hides itself among the tools used for a live response to intrusions. Organizations can take steps to prevent the introduction of Drovorub into their systems in the following ways, especially those who use machines with both Windows and Linux:

1. Configure Transport Layer Security — Acquire a certificate for the Terminal server from a trusted third-party Certificate Authority or obtain it from an internal PKI solution.
2. Employ High-Level Encryption — Go in through the Group Policy setting for RDP, then set the encryption level to High.
3. Validate Network Level Authentication — Organizations should make sure computers using RDP are running version 6.0 or higher on Windows machines running a Linux OS. The Network Level Authentication Group Level Policy should be set to require user authentication for remote connections.

Using the Secure Boot feature is another option, though it can cause disruptions for some Linux distributions. It checks for any issues with the boot loader before launch and makes sure it has a valid signature.

Other detection methodologies can help institutions and companies locate Drovorub, including:

• Network-Based Intrusion Systems (NIDS) — NIDS Looks for control and command messages sent between the Drovorub agent, client, and server. The effectiveness is blunted when the message format changes. NIDS can also be evaded using TLS.
• Host-Based Detection — A script on the host computer can probe Drovorub kernels containing a specific file or file prefix. Security products like Antivirus and Endpoint Detection software may be able to look inside Drovorub components to obtain insight into how they function.
• Live Response — Launches a real-time response to suspicious changes in a host computer’s files, processes, and network connections.

Organizations relying on RDP connections should make frequent updates to their security protocols to prevent any invasion or hijacking of valuable business resources. More information about securing infrastructure against cyberattacks can be found here.

Cybersecurity flickr photo by Infosec Images shared under a Creative Commons (BY) license