One of the benefits of more news stories detailing attack specifics, as well as security vendors putting out analyses of attacks they’ve encountered, is the incredible sharing of details that provide those that are paying attention with great insight into exactly what actions are being taken and malicious methods are being used by cybercriminals. It also provides an understanding of how specific tools – such as remote access solutions (both those organization-sanctioned or threat actor-utilized) – are used time and time again. This kind of detail can be used to prioritize what needs to change about the environment to a) make it more secure and b) make it less prone to cyberattacks.
So, I want to take the opportunity to look at some recent news and analysis of ransomware attacks in order to make some recommendations that will make the remote access solution you use today less of an asset to the cybercriminal. Let’s begin with initial access.
Gaining Entry with Remote Access
It’s long been a known fact that a material percentage of ransomware attacks (regardless of the variant involved) bounce between phishing- and remote desktop-based attacks as their initial attack vector. The reasoning behind phishing is evident – it provides the attacker direct access to an endpoint and a set of user credentials should the phishing attack succeed. But so do remote desktop attacks using commercial remote access solutions – regardless of whether they are brute force attacks (where thousands of passwords are tested in succession) or using stolen credentials derived from a previous attack – which is why remote desktop attacks stand toe-to-toe with phishing.
In recent months, ransomware attacks involving MedusaLocker – a variant introduced in 2019 that is making a “comeback” enough to warrant a Joint Cybersecurity Advisory about it in June of this year – primarily leverage exposed RDP connections (whether intentional or accidental) to establish a foothold in a victim organization.
Another egregious example of inappropriate access via RDP is one documented by security researchers at Sophos, in which a cybercriminal group that uses LockBit ransomware gained access to a U.S. Government network via RDP and was able to poke around the network for five months without being detected before deploying LockBit.
Moving Around Once Inside
Once in, if you’re familiar with the normal chain of malicious events and/or are paying attention to the MITRE ATT&CK Framework, you know lateral movement is eventually another use of remote access. According to the latest data from ransomware incident response vendor Coveware (who puts out a quarterly ransomware report), lateral movement occurs in approximately 70% of ransomware attacks. This includes the exploitation of remote services, which Coveware analysts comment “mainly consists of abusing internal remote desktop (RDP) after initial access has been made.”
Learning from the Current State of Ransomware and Remote Access
With all the current data and attack examples demonstrating how threat actors leverage remote access for devious purposes, what steps should you take to stop the misuse? There are a few impactful actions you can take to keep cybercriminals from taking advantage of and misusing your remote access:
- Disable Externally-Facing Remote Access – that is, if you can. Threat actors commonly use brute-force attacks against unsuspecting desktops exposed to the Internet for productivity purposes. Microsoft recently even announced an update to Windows 11 that blocks RDP brute-force attacks – something that will definitely help when cybercriminals don’t have a valid credential in the first place but will do little to stop the misuse of RDP when they have a set of stolen credentials in hand. With 59% of organizations experiencing phishing-based campaigns focused on stealing credentials, mixed with the presence of Dark Web services devoted to selling credentials, it should be evident that many attackers no longer rely on brute force to gain access.
- Consider Stopping the Use of RDP Altogether – for both externally- and internally-based remote access to desktops. Microsoft definitely has taken strides to ensure its RDP services can be made as secure as possible. But there remains a two-fold problem: First, not every organization takes advantage of securing their RDP across multiple, if not countless, endpoints within the organization. And second, even if it is secure, ransomware gangs are now looking for zero-day exploits (and are willing to pay seven-figure sums for them), and the prevalence of RDP across almost every Microsoft environment makes it a prime target for hackers looking to find ways to take advantage of “commodity” applications that are widely available.
There are plenty of other solutions designed around providing secure remote access available on the market that also have better granularity, control, and configurability than the build-in RDP.
- Enable Secure Authentication – The use of multi-factor authentication is a show-stopper for ransomware actors. By requiring a second factor – such as an SMS text, a smartcard, certificate, etc. – you effectively take away any power the threat actor would normally have with a credential in hand.
Responding in Kind to Ransomware’s Misuse of Remote Access
It’s imperative for cybersecurity strategies to continually be updated to reflect the current state of attack – this is one of the reasons MITRE’s framework exists today; to keep every organization updated. And this often includes going beyond security solutions in place and looking at how cybercriminals misuse your internal resources, providing you with obvious opportunities to further secure your environment.
Until remote access is implemented with security in mind first (and then productivity), it will always be a top-of-mind tool to be taken advantage of by the ransomware threat actor. By learning from the current state of ransomware attacks, and evaluating the recommendations above, you not only will find your remote access to be in a far-greater security state but also find your threat surface – both externally and internally – to be significantly reduced.
