Critical Infrastructure Technology (ICIT) highlights ransomware and RDP access as the current focus
The Institute for Critical Infrastructure Technology (ICIT) points out, in a paper warning of the evolution of what it calls’ disruptionware’ ransomware and the access to RDP as the current focus of a new development which “sees adversaries interrupting business continuity,” posing “an existential threat to key infrastructure operators.”
The move from random to targeted attacks is underlined. It is based on the industry’s double reluctance to close the RDP and the remarkable degree of access the attacker offers. In the first case, for instance, ICIT notes (PDF) that “805,665 systems remain vulnerable to the BlueKeep RDP operation, with estimated 105,170 systems based in the US, notwithstanding months of warning as of July 2, 2019.”
RDP, for example, provides full and remote control over the accessed device. “While the victim determines whether or not to pay for the ransom,” says ICIT, “the opponent retains system access, enabling them to install backdoors, remote Trojans or other malware that can make future attacks easier or provide service to other attackers.”
The reluctance of the industry to shut RDP down is due to their value as a remote maintenance business tool. “Manual maintenance is deemed too expensive compared to remote access solutions, especially if the systems are located overseas,” says the ICIT.
In a separate study (PDF), the Vectra security firm points out that RDP allows a centralized maintenance team to simultaneously monitor and fix systems at various factories. “The cost savings on this are substantial,” it says, indicating that every trip a technician undertakes for a machine fix on site is estimated to cost more than $2,000.
It also notes that the access provided by RDP is so great that a ransomware attack is not the first motive but the last effect. Vectra analyzed the problem of RDP from the context of her telemetry, “Having gained access to the infrastructure, reconnoitered the network, moved laterally through it, and exfiltrated all they want,” Vectra security analysis head Chris Morales told, “ransomware could be the final act to get as much money as possible.
For six months, its Cognito threat detection and response platform detected 26800 malicious RDP behavior against customers between January and June 2019. These are classified as pre-access (the system detects multiple attempts to attack brute force against RDP) or post-access (where machine learning detects suspicious behavior— such as attempts to use unexpected keyboard language for example).
By standardizing these figures, Vectra found that manufacture (20%), finance (16%) and retail (14%) represented the top three industries in the most affected, followed by the government (12%), healthcare (10%) and services (8%). Interesting is the incidence of attacks against the service industry. Morales said the Texas ransomware attacks came through their MSP. “With many MSPs using RDP to access their clients, this is a worrying threat vector,” he said.
Not all RDP attacks are necessarily linked to potential ransomware attacks— a crime or a nation State seeking PII or industrial espionage access might be involved. However, the high incidence of RDP samples against production is correlated to the ransomware increase against production in 2019.
ICIT notes that LockerGoga ransomware is alone responsible for attacks on “Altran, the Norwegian aluminum manufacturer Norsk Hydro, the American chemical companies Hexion and Momentive.” Its principal concern is that increasing industrial digitalisation means that IT and OT cannot be treated as separate entities anymore and that IT attacks via RDP are not possible.
The problem is that RDP is deemed too valuable to cease. Microsoft would be able to update the software to require a strong password, but this could cause problems for existing customers using already weaker passwords. “It has introduced 2FA,” Morales told, “but it’s not default to install it.” The user therefore has a responsibility to secure RDP and defend it from RDP attacks.
ICIT suggests that RDP (port 3389) needs to be evaluated and that, if necessary, links to specific trusted hosts should be whitelisted, all other blocked. Any system requiring an open RDP port,’ says Vectra,’ should go behind the firewall and require VPN users. You should also conduct regular inspection to ensure that the RDP port is not open to the public Internet.’
But Vectra points out that standard defenses don’t work properly against zero-day exploits. “In August 2019,” he notes, “Microsoft has announced four new critical vulnerabilities for RDPs, which all are’ pre authentication,’ which means that they may be executed without properly credential or victim input. It is striping that these exploits have worked for Windows 7, 8, and 10. Since Windows 10 is currently the latest and most popular operating system in Windows, this indicates that RDP attacks persist even as organizations update their IT systems.”
Vectra’s view was that RDP is such a dangerous threat vehicle that users should not rely on defenses to be overcome, but rather on the behavior of the modern threat detection system.