As more schools and businesses find themselves going online, Remote Desktop Protocol (RDP) users are more vulnerable than ever to a ransomware attack. Learn more about the latest threat from Drovorub malware, and what organizations can do to protect themselves.
Businesses, government organizations, and educational institutions found themselves navigating new challenges as they worked to provide remote access to an unprecedented number of workers. Many turned to Remote Desktop Protocol (RDP) so users could remote into their office devices to access company systems. RDP’s popularity endures because there are clients available for most popular operating systems, including Windows, Linux, Unix, Android, and macOS.
One continuing problem with using RDP is that many organizations fail to ensure that proper security is in place. That leaves hackers with a potential entry point into company systems once they obtain the RDP login credentials needed for access. The credentials could then be sold to others on the dark web, putting many companies and institutions at risk for ongoing cyberattacks.
Earlier versions of RDP also have a vulnerability in the encryption method used on platforms like Windows Server 2008 and Windows XP. While Microsoft issued a legacy patch to repair the issue, any organization using RDP while still running legacy Windows software are at additional risk for a cyberattack. This may be a concern for those running an older Linux OS alongside Windows. There’s more information about the vulnerability of older versions of Windows OS and RDP available here.
A recent alert sent from both the National Security Agency (NSA) and the Federal Bureau of Investigation (FBI) about the threat presented from an insidious malware called Drovorub, with the origins traced back to GRU Russian intelligence.
The malware consists of four main components:
Drovorub hides itself in systems while hackers take control of system functions. They may plant other malicious components or manipulate a company’s network settings, all without needing to be on the same continent. Hackers often target internet devices connected via RDP to exploit the port vulnerabilities.
Locating Drovorub malware on a large scale can be a complex undertaking. It hides itself among the tools used for a live response to intrusions. Organizations can take steps to prevent the introduction of Drovorub into their systems in the following ways, especially those who use machines with both Windows and Linux:
Using the Secure Boot feature is another option, though it can cause disruptions for some Linux distributions. It checks for any issues with the boot loader before launch and makes sure it has a valid signature.
Other detection methodologies can help institutions and companies locate Drovorub, including:
Organizations relying on RDP connections should make frequent updates to their security protocols to prevent any invasion or hijacking of valuable business resources. More information about securing infrastructure against cyberattacks can be found here.