Posted on January 27, 2019 at 1:39 PM
FireEye Warns of a New Method Used by Hackers Conducting RDP Attacks
According to a recent report by a cybersecurity company, FireEye, hackers who choose to conduct RDP (Remote Desktop Protocol) attacks are seemingly using a new method to avoid detection and protective measures. Researchers warn that hackers have started increasingly using network tunneling, as well as host-based port forwarding techniques.
RDP is a well-known component of Windows systems, which is typically used to allow users remote access to the system. However, hackers quickly discovered that this feature could be used for their own gain, which has sparked an entire trend revolving around this type of attack, as it is difficult to discover.
In the report, FireEye has stated that hackers also prefer this method due to stability and several advantages regarding functionality. However, in order to initially compromise the targeted systems, hackers are required to take a different approach instead of regular infiltration methods, such as phishing.
How does the breach occur?
These systems have multiple layers of protection, including things like NAT rules, firewalls, and alike. However, hackers have discovered that network tunneling and host-based port forwarding allow them to bypass most of these protections.
Through abusing these methods, hackers can get a connection with a remote server, which is usually protected by the firewall. Researchers have also reported that one of the utilities used for to tunnel RDP sessions is called Plink (PuTTY Link), which can create an SSH network connection with other systems as well.
Since SSH protocols are typically not blocked by IT environments, this can lead to hackers gaining full access and establishing a connection to the C&C server. Once they gain access, FireEye researchers believe that hackers can move freely through the environment. This also allows them to use the Windows Network Shell command for port forwarding. All that hackers need to do is configure the jump box and make it listen for arbitrary ports which are sending the traffic from compromised systems. Once detected, the traffic can be forwarded through the jump box to any system via port TCP 3389.
By using these methods, hackers can take advantage of the jump box, but not completely disrupt it, which allows them to avoid detection for a longer period. However, FireEye believes that network-based and host-based prevention mechanisms can easily stop this type of attack, while detection mechanisms can warn the user of an attempted breach.
Furthermore, additional methods, such as disabling the remote desktop service when it is not necessary is also advised. Preventing the RDP connection can also be achieved by setting certain host-based firewall rules, and detection of the breach can be done by studying event logs or reviewing registry keys.
There are also several precautions that users can set at the level of the network itself. One of them would be for admins to enforce only RDP connections from a centralized management server, or a designated jump box. They should also check firewall rules regarding port forwarding, check the network traffic and its content, but also set rules that might identify RDP tunneling.
While RDP does have its numerous uses, users are urged to take necessary precautions. Otherwise, their entire systems could be endangered by this new threat.
