Network tunneling technique is being increasingly used for attackers using RDP
The Remote
Desktop Protocol (RDP) is a Windows
component designed to provide administrators and users with a remote access
path to their systems. According to network security and ethical hacking from
the International Institute of Cyber Security report that malicious hackers
have been abusing this feature to attack vulnerable systems, because sometimes
this kind of attacks can be more difficult to detect than a backdoor.
“Malicious users resort to the use of RDP
because of its stability and functionality over a backdoor. We have detected
that hackers use the native functions of Windows RDP to connect laterally
through systems in compromised environments,” commented the specialists.
According to network
security specialists, access to a system via RDP allows attackers to
gain persistence, although it depends on an additional attack vector to enter
the compromised system, such as a phishing attack, for example. In addition,
attackers have increasingly resorted to ‘network
tunneling’ and host-based port forwarding.
Because of this, attackers can establish a
connection to a remote server blocked by a firewall to exploit that connection
and use it as a means of transport to ‘dig a tunnel’ to local services through
the firewall.
A utility that is used to channel RDP sessions
is Putty Link, or Plink, which allows attackers to establish SSH connections to
other systems. According to network security experts, because many environments
do not inspect the protocols or block SSH communications that exit their
network, attackers can use the tool to create encrypted tunnels and establish
RDP connections with C&C.
On the other hand, RDP sessions also allow
attackers to move sideways through an environment; attackers can use the native
network Shell command in Windows (netsh) to use RDP port forwarding to
discover segmented networks.
Host and network-based prevention and detection
mechanisms must provide organizations with the necessary defenses to mitigate
these kinds of attacks, experts say.
Also, disabling RDP when not in use, enabling
firewall rules on host to prohibit incoming RDP connections are helpful tips
for reinforcing risk prevention.
On the other hand, at network level
administrators must enforce RDP connections from a designated mailbox or
central administration server, avoid using privileged accounts for RDP, revise
firewall rules to identify port forwarding vulnerabilities and inspecting the
content of network traffic.
