Ransomware infects Windows Servers

Microsoft Remote Desktop Service (RDP) is a very useful tool for administrators that need to login to remote Windows systems in order to perform administrative tasks or troubleshoot an issue. While incoming RDP connections from the Internet should be filtered by a firewall, this is not always the case.

Slack security provides an entry point for malicious agents that try to gain access to an organization's internal systems. RDP has its flaws and more often than not vulnerabilities are discovered. At the time of writing the most recent vulnerability detected in RDP was BlueKeep (CVE-2019-0708), which was used by GoldBrute botnet scheme.

Microsoft issues security updates to patch these vulnerabilities, but there will always be cases that the updates are not applied in a timely fashion. This patch gap gives the attacker the needed time frame to find vulnerable RDP targets and attack them.

During the last couple of months here, in Inter Engineering, we noticed a rise in incidents of ransomware infection where the attacker establishes the initial foothold using brute force against the RDP service. If the brute force is successful then the attacker has access to the Windows system. From that point on the attacker can stop or even uninstall the antivirus product, run the malicious payload and start the encryption process.

No antivirus solution can combat this scenario, because in most cases the attacker will have administrative access to the system and therefore be able to do pretty much anything.

Even so it should be relatively easy for an administrator to enforce measures for secure RDP access from the Internet to internal Windows systems. Below is a list of actions that will enhance the security stance:

Use strong and long passwords
To avoid brute force attack on RDP, avoid using Dictionary word and simple password. Always use long password with combination of Uppercase letters, Lowercase letters, numbers and special characters.

Limit number of login attempts
1. Go to Start-->Programs-->Administrative Tools-->Local Security Policy
2. Under Account Policies-->Account Lockout Policies
3. Account lockout threshold -> Set between 3 to 5
4. Account lockout duration -> Ideally set more than 5 minutes

Only allow user accounts requiring RDP service
1. Go to Start-->Programs-->Administrative Tools-->Local Security Policy
2. Under Local Policies-->User Rights Assignment-->Allow logon through Remote Desktop Services
3. Add or Remove the User accounts or groups which require RDP service

Use RD gateway servers
RD gateway proxy servers can be used for securing the connection with SSL. You can find more information on RD Gatewaus in the link below: https://social.technet.microsoft.com/wiki/contents/articles/10974.windows-server-2012-rds-deploying-and-configuring-rd-gateway.aspx

Close RDP port
This is the most important measure of all. Just changing the default port (3389/tcp) to a different one will not suffice, because RDP service has a distinctive welcome banner and the attacker will be able to detect that the service running behind the non-standard port is Microsoft RDP. Use VPN connection to access remote desktop and close RDP access using a firewall. All Stormshield UTM models support filtering rules and VPN connections (IPSec/SSL), if you want to know more, just send us a message.

Active Care Support Service Overview

Health Check

We proactively perform periodic health checks in your environment

Virtual Replication

We replicate your environment for troubleshooting and reviewing changes

Remote Support

Our engineers connect remotely to your system for immediate support

Support engineer

You have your own personal support engineer

 Copyright © 2019. All rights reserved. Designed & Built by Inter Engineering.