Attacks using the Remote Desktop Protocol
September 2020 by ARCHANGEL©
In our last newsletters, we talked about ransomware and the vectors that this malware uses to infect a computer network.
Among these vectors we have drawn your attention to social engineering and more specifically phishing, namely those that require human intervention to penetrate the network. They are the most used.
Following the pandemic that has been raging since the beginning of the year, remote working (telework) has required the massive use of RDP (Remote Desktop Protocol developed by Microsoft), a technical means that allows a user to connect to another computer via a network connection, regardless of whether its operating system is Microsoft Windows, Linux, Unix, MacOS, iOS or Android.
By default, the server uses the TCP 3389 or UDP 3389 Protocol port transport.
And it is precisely the attacks linked to this protocol (RDP) that have progressed significantly (they have more than doubled) during the second quarter of 2020. The reasons for this increase in attacks are to be found firstly in the number of Remote Desktop Protocol ports that are publicly exposed on the Internet (4,500,000 in March 2020) and secondly in the vulnerabilities (to cyber-attacks), especially those related to the ransomware.
RDP PORTS MUST BE PROTECTED
From the above, we will have immediately deduced that the best protection is not to publicly expose the used ports.
These ports can be easily masked by using VPN which is a "secure" tunnel for digital traffic, but be careful not to use just any VPN: The VPN must be created within the establishment that wants to protect Remote Desktop Protocol ports and must not be protected by third parties: whoever creates the protection by cryptography necessarily holds the keys.
As we all know, encryption requires keys and those who create them obviously have access to vehicle information. We all remember the case of the Swiss encryption company bought by the CIA and which spied on all the world’s secret communications for 70 years. Furthermore, any quantum computer can break the encryption in a fraction of a second because the encryption is based on the theory of numbers.
Only a VPN that does not use the services of a third party and that does not use cryptography based on number theory can provide total security for data transmission such as the one created by ARCHANGEL-SST-SydeCloud, all in one which is protected by SST.
YOU MUST PROTECT AGAINST CYBER ATTACKS
Once the attackers have successfully penetrated the system, they can install worms, execute remote codes and most importantly deploy ransomware. This is not to mention that they can infect, by lateral progression made possible by RDP, more devices on the network and exfiltrate the data before encrypting it.
Once they have achieved their goal, the attackers scramble the tracks (obsfuscation) to delay as much as possible the detection of the attack and especially their identity. To do this, the MAZE ransomware has their preference.
In addition to the loss of data by its encryption and the possible loss of privacy through exfiltration, users may find themselves in a situation of denial of service caused by the disruptions that follow such attacks.
The best protection is to install a sophisticated firewall which:
Filters and blocks viruses and other malware that try to penetrate the system,
Identifies and blocks IP addresses used by attackers,
Will indicate the ports used by the attackers to allow them to be closed or modified according to the user’s needs.
The ARCHANGEL© intelligent firewall, thanks to its triple firewall system that prevents any possibility of lateral propagation of malware within a network and the exfiltration of data, thanks to its Honeypot, and thanks to its intelligent agents (there are currently 4 of them) is the best protection against such attacks.
ARCHANGEL©, SST© and SydeCloud© are creations of PT SYDECO, a 100% Indonesian solution.