Foreword:

Microsoft RDP protocol is one of the main focuses of bad actors in these days. There are reports for numerous successful breaches in small and medium sized organizations with heavy use of RDP from outside. The reasons for that is the protocol has security flaws, this article will cover the latest of them, but also most of the time it was setup some time ago and the authentication for it is weak which means it is prone to brute-force-attacks. Most modern IPS do not catch RDP based brute-force-attacks without any additional tuning or professional SoC, none of which is usually present or indeed a priority in small and mid-sized business due to costs.

New vulnerability, CVE-2019-0708, was found in the “remote desktop services” component built into supported versions of Windows, including Windows 7, Windows Server 2008 R2, and Windows Server 2008.

It also is present in older versions such as Windows XP and Windows 2003, operating systems for which Microsoft long ago stopped shipping security updates, but they are still frequently in use within organizations.

Microsoft director of incident response Simon Pope described the vulnerability with the following: “While we have observed no exploitation of this vulnerability, it is highly likely that malicious actors will write an exploit for this vulnerability and incorporate it into their malware,”

This vulnerability is marked as critical because of its nature – the vulnerability is at the pre-authentication level with means that strong credentials do not help, and it virtually requires NO user intervention. Also, the vulnerability in question is marked as wormable, which means when an exploit is created it can easily be incorporated into more complex malware and be used to automatically try to exploit and spread vertically inside an organization with RDP enabled and unpatched, quite similar to WannaCry EternalBlue SMB exploit. This scenario makes up for a potentially fast and wide spread malware.

Microsoft released 16 updates on the 19th of May targeting at least 79 security holes in Windows and related software — nearly a quarter of them earning Microsoft’s most dire “critical” rating. Critical bugs are those that can be exploited by malware or bad actors to break into vulnerable systems remotely, without any help from users.

Vulnerable products:

Windows 7, Windows Server 2008 R2, and Windows Server 2008, Windows XP and older versions of Windows

Non-vulnerable products:

Windows 10, Windows 8.1, Windows 8, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, or Windows Server 2012.

How does the attack work?

The attackers send a large number of very small requests from a high-bandwidth pipe behind ISP(s), that allow ip spoofing, destined at a large list of publicly accessible application servers. The attacker is spoofing the source IP on all these requests to the target public IP address. All servers are made to respond with much larger packets to the requests, wrongfully directing all that traffic towards the unsuspecting target. The idea is to cripple either the target server/device or to congest its internet pipe, both causing Denial of Service.

How to protect yourself:

If any of the three components outlined above is not available, then there is no way to perform a successful Amplification attack.

Simple steps can make a bit difference.

  1. First never use or allow open to everyone RDP access from outside. Check your current Firewall settings for allowing RDP connections from ANY on the outside. Use alternative access into your organization via corporate Remote VPN with 2 Form-factor authentication.
  2. Disable unused applications.
  3. If application needs to be used make sure it regularly patched and has all security updates
  4. Have a second layer of security – up to date endpoint protection, advanced network threat protection to stop the spread in case of breach
  5. Backup your servers and valuable data regularly – this would help you recover of problem in case the security updates/patches break something or in case of a breach (ransomware or destruction of information).

Used materials:

https://krebsonsecurity.com/2019/05/microsoft-patches-wormable-flaw-in-windows-xp-7-and-windows-2003/

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708

© 4CornerNetworks - Website by Roslin Design
4CornerNetworks is the trading name of 4CornerNetworks Ltd
Registered Address: 27 The Mount, Rickmansworth, Hertfordshire WD3 4DW
Company Registration Number: 07920761
Registered in England
chevron-down