Remote Desktop Protocol (RDP) - History, Security, and Exploitation, Lecture notes of Architecture

Download Remote Desktop Protocol (RDP) - History, Security, and Exploitation and more Lecture notes Architecture in PDF only on Docsity!

HC3 Intelligence Briefing

Remote Desktop Protocol

Exploitation

OVERALL CLASSIFICATION IS

TLP:WHITE

November 21, 2019

Agenda

• Overview
• History
• Usage
• Maturity of RDP implementation
• Why does RDP matter to healthcare cybersecurity?
• RDP Exploitation
• Major exploits: Bluekeep and DejaBlue
• RDP Threats – who and what attacks RDP?
• Securing RDP
• References
• Questions Non-Technical: managerial, strategic and high-level (general audience) Technical: Tactical / IOCs; requiring in-depth knowledge (sysadmins, IRT) Slides Key:

History RDP VERSION WINDOWS OS NOTES 4 Win NT 4. First version of RDP, Based on the ITU-T T.128 application sharing protocol; introduced with terminal services 5 Win 2000 Server Support for printing; improved bandwidth usage 5.1 Windows XP Support for 24-bit color and sound; Client available for Windows 2000, Windows 95/98 and Windows NT 4.0.; Name of the client changed from Terminal Services Client to Remote Desktop Connection 5.2 Windows server 2003 Support for console mode connections, session directory, and local resource mapping; Transport Layer Security (TLS) available for authentication and encryption with server 6 Windows Vista Multi-monitor spanning and large desktop support

Windows Server 2008, Windows Vista Service Pack 1, Windows XP Service Pack 3 Support for connecting remotely to individual programs 7 Windows Server 2007 R2, Windows 7 Renamed Terminal Services to Remote Desktop Services

Windows 7 Service Pack 1, Windows 2008 R Service Pack 1 8 Windows 8, Windows Server 2012 Automatic selection of TCP or UD; Adaptive Graphics; multi touch support 8.1 Windows 8.1, Windows Server 2012 R2 Support for session shadowing 10 Windows 10, Windows 8.1, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2 AutoSize zoom The evolution of RDP:

Usage

• Most current RDP implementations allow for:
  • Windows Presentation Foundation (WPF) applications and remoting
  • Clipboard sharing between a remote server and a local client
  • Remote desktop applications execution on client machines
  • Aeroglass remoting
  • Windows Media Player (WMP) redirection
  • Implementation on non-Microsoft platforms
    • e.g. Unix/Linux platforms use rdesktop
  • Mouse and user keyboard data encryption
  • Audio, printer, port and file redirection
  • Multiple monitor support Image courtesy of Microsoft.com

Why does RDP matter to healthcare cybersecurity?

• Targeting
  • ECRI Institute’s annual Top 10 Health Technology Hazards for 2019
    • Hackers attacking healthcare through remote access systems and disrupting

operations is the number one patient safety risk

• Oleg Kolesnikov, Head of Securonix Threat Research Labs, Referring to RDP:
  • “…if it’s targeted, particularly in healthcare, and exploited, the results can be much

more severe…”

• Trapx Securty:
  • “One of the most common breach scenarios, whether by an insider (a rogue

employee) or by an external attacker who has successfully breached the perimeter,

happens through RDP.”

RDP exploitation

• Sophos leveraged Shodan to assess global RDP vulnerabilities: RDP is already being abused, every day, to devastating effect. - Sophos

Major exploits: Bluekeep and DejaBlue

• BlueKeep (and related vulnerabilities)
  • Target Microsoft Windows
    • Windows XP
    • Windows Server 2003
    • Windows Vista
    • Windows 7
    • Windows Server 2008
    • Windows 10
  • CVE- 2019 - 0708 (Bluekeep)
    • CVE- 2019 - 1181, CVE- 2019 - 1182 (Dejablue)
  • Remote Code execution
  • “Wormable”
  • Microsoft Bluekeep severity categorization: Critical
  • Microsoft released patch for Bluekeep in May of 2019, Dejablue in Oct. 2019
    • Two weeks after Bluekeep patch was released, one researcher noted almost 1M

systems still remained unpatched

• NSA released Bluekeep warning Image courtesy of Medium.com

Major exploits: Bluekeep and DejaBlue (continued)

• Microsoft and NSA Bluekeep releases:

Securing RDP

• Recommended cybersecurity defense and response practices: NIST Cybersecurity Framework 405(d) HICP

Securing RDP (continued)

• Specific steps for securing RDP
  • Whenever possible on Windows implementation, use group policy object (GPO) functionality to centrally manage RDP [3.S.A], [3.L.B]
  • Use strong/complex passwords; require periodic password changes [3.S.A], [3.M.C], [3.L.C] - Letters, numbers, symbols and password length minimums - Balance between password change window that is too long and too short
  • Restrict access using firewalls [3.S.A], [3.M.C], [3.L.C]
    • Filter via IP address, MAC address, etc…
  • Reassign RDP to another port (change listening port from default 3389) [6.M.A]
  • Update software; Apply patches [7.S.A], [7.M.D]
    • Patch management program McAfee.com 405(d) cybersecurity practice references denoted in red

References

• How to change the listening port for Remote Desktop, Microsoft Support, 8/13/2018, https://support.microsoft.com/en- us/help/306759/how-to-change-the-listening-port-for-remote-desktop
• Fitzpatrick, Darren, Fokker, John and Ryan, Eamonn, RDP Security Explained, McAfee Labs, 6/24/2019, https://www.mcafee.com/blogs/other-blogs/mcafee-labs/rdp-security-explained/
• InfoSec Guide: Remote Desktop Protocol (RDP), Trend Micro, October 31, 2018, Trend Micro, 10/31/2018, https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/infosec-guide-remote-desktop-protocol-rdp
• Camp, Cameron, Remote Desktop (RDP) Hacking 101: I can see your desktop from here!, ESET - We Live Security, 9/16/2013, https://www.welivesecurity.com/2013/09/16/remote-desktop-rdp-hacking- 101 - i-can-see-your-desktop-from-here/
• Definition of: Terminal Services, PC Mag Encyclopedia, https://www.pcmag.com/encyclopedia/term/52755/terminal-services
• Alert #: I- 092718 - PSA - Cyber Actors Increasingly Exploit The Remote Desktop Protocol to Conduct Malicious Activity, Federal Bureau of Investigation Public Service, https://www.ic3.gov/media/2018/180927.aspx
• Greenberg, Andy, DejaBlue: New BlueKeep-Style Bugs Renew the Risk of a Windows Worm, Wired, 8/13/2019, https://www.wired.com/story/dejablue-windows-bugs-worm-rdp/
• Stockley, Mark, RDP exposed: the wolves already at your door, Sophos Naked security, 7/17/2019, https://nakedsecurity.sophos.com/2019/07/17/rdp-exposed-the-wolves-already-at-your-door/
• Carroll, Eoin; Mundo, Alexandre; Laulheret, Philippe; Beek, Christiaan; and Povolny, Steve; RDP Stands for “Really DO Patch!” – Understanding the Wormable RDP Vulnerability CVE- 2019 - 0708, McAfee Blogs, 5/21/2019, https://www.mcafee.com/blogs/other- blogs/other-blogs/mcafee-labs/rdp-stands-for-really-do-patch-understanding-the-wormable-rdp-vulnerability-cve- 2019 - 0708/
• Goodin, Dan, Exploit for wormable BlueKeep Windows bug released into the wild, ARS Technica, 9/6/2019, https://arstechnica.com/information-technology/2019/09/exploit-for-wormable-bluekeep-windows-bug-released-into-the-wild/
• Cimpanu, Catalin, Even the NSA is urging Windows users to patch BlueKeep (CVE- 2019 - 0708), ZDNet, 7/4/2019, https://www.zdnet.com/article/even-the-nsa-is-urging-windows-users-to-patch-bluekeep-cve- 2019 - 0708/
• Sophos Community Knowledge Base, CVE- 2019 - 0708: Remote Desktop Services remote code execution vulnerability (known as BlueKeep), 5/29/2019, https://community.sophos.com/kb/en-us/
• Microsoft TechNet, Remote Desktop Services (RDS) Component Architecture Poster Windows Server 2008 R2, https://blogs.technet.microsoft.com/danstolts/2010/10/remote-desktop-services-rds-component-architecture-poster-windows-server- 2008 - r2/

References (continued)

• Foley, Mary Jo, Microsoft patches Windows XP, Server 2003 to try to head off 'wormable' flaw, ZDNet, 5/14/2019, https://www.zdnet.com/article/microsoft-patches-windows-xp-server- 2003 - to-try-to-head-off-wormable-flaw/
• Cimpanu, Catalin, US company selling weaponized BlueKeep exploit, ZDNet, 7/25/2019, https://www.zdnet.com/article/us-company- selling-weaponized-bluekeep-exploit/
• Microsoft works with researchers to detect and protect against new RDP exploits, Microsoft Security Blog, 11/2/2019, https://www.microsoft.com/security/blog/2019/11/07/the-new-cve- 2019 - 0708 - rdp-exploit-attacks-explained/
• Cimpanu, Catalin, Millions of RDP Endpoints Exposed Online and Ready for Bad Things, ZDNet, 8/15/2017, https://www.bleepingcomputer.com/news/security/millions-of-rdp-endpoints-exposed-online-and-ready-for-bad-things/
• Boddy, Matt, Jones, Ben, and Stockley, Mark, RDP Exposed - The Threat That's Already at Your Door, Sophos, https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/sophos-rdp-exposed-the-threats-thats-already-at-your-door-wp.pdf
• Hudak, Tyler, Adventures of an RDP Honeypot – Part One: RDP Security, TrustedSec Blog, https://www.trustedsec.com/blog/adventures-of-an-rdp-honeypot-part-one-rdp-security/
• Schwartz, Mathew J., Ransomware Gangs' Not-So-Secret Attack Vector: RDP Exploits, Bank InfoSecurity, 11/4/2019, https://www.bankinfosecurity.com/ransomware-gangs-not-so-secret-attack-vector-rdp-exploits-a- 13342
• Cimpanu, Catalin, Botnet Fodder: 10 Million Devices With Open Telnet Ports Still Available Online, ZDNet, 7/15/2017, https://www.bleepingcomputer.com/news/security/botnet-fodder- 10 - million-devices-with-open-telnet-ports-still-available-online/
• McKeague, Brendan, Ta, Van, Fedore, Ben, Ackerman, Geoff, Pennino, Alex, Thompson, Andrew, Bienstock, Douglas, Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware, FireEye, 4/5/2019, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
• Constantin, Lucian, More critical Remote Desktop flaws expose Windows systems to hacking, CSO Online, 8/14/2019, https://www.csoonline.com/article/3431665/more-critical-remote-desktop-flaws-expose-windows-systems-to-hacking.html
• Cimpanu, Catalin, FBI warns companies about hackers increasingly abusing RDP connections, ZDNet, 9/27/2018, https://www.zdnet.com/article/fbi-warns-companies-about-hackers-increasingly-abusing-rdp-connections/
• Stockley, Mark, RDP BlueKeep exploit shows why you really, really need to patch, Sophos Naked security, 7/1/2019, https://nakedsecurity.sophos.com/2019/07/01/rdp-bluekeep-exploit-shows-why-you-really-really-need-to-patch/
• Stockley, Mark, RDP BlueKeep exploit shows why you really, really need to patch, Sophos Naked Security, 7/1/2019, https://nakedsecurity.sophos.com/2019/07/01/rdp-bluekeep-exploit-shows-why-you-really-really-need-to-patch/

Questions

Upcoming Briefs

• Bluekeep
• Incident Response

Product Evaluations

Recipients of this and other Healthcare Sector Cybersecurity Coordination Center (HC3) Threat Intelligence

products are highly encouraged to provide feedback to HC3@HHS.GOV.

Requests for Information

Need information on a specific cybersecurity topic? Send your request for information (RFI) to

HC3@HHS.GOV or call us Monday-Friday, between 9am-5pm (EST), at (202) 691-2110.

Image courtesy of Naked Security