RDP Vulnerabilities could Bring New Devastating WannaCry Attack

RDP (Remote Desktop Communication Protocol) vulnerabilities are still a nightmare for system administrators even though the hackers have been known to exploit the RDP vulnerability since 2011. Can it be the same threat as the devastating WannaCry attack of two years ago?

Last year, criminal groups behind the network of Matrix and SamSam, two of the largest targeted malicious software attacks, almost completely abandoned other network intrusion methods and used the RDP vulnerability instead to launch attacks.
According to the latest research report, attackers can almost find devices that can connect to the network and open RDP functions anytime, while using RDP vulnerabilities to attack major enterprises.
According to Matt Boddy, a security expert from Sophos, a recent RDP remote code execution vulnerability called BlueKeep (CVE-2019-0708) has caused a lot of attention. This vulnerability could bring global malware outbreaks in a matter of hours. BlueKeep is just the tip of the iceberg, so preventing RDP vulnerabilities is more than just patching the system to prevent it. IT administrators must pay more attention to the overall operation of RDP, because the research found that cybercriminals will use passwords to guess attacks to find out the PC that becomes vulnerable to intrusions due to RDP vulnerabilities.
The main findings of the research report are:

• All 10 honeypots received a record of attempting to log in within one day
• RDP vulnerability exposes related computers in as little as 84 seconds
• All RDP honeypots recorded a total of 4,298,513 login failures within 30 days, averaging approximately every 6 seconds.
• The industry generally believes that cybercriminals are looking for open RDP vulnerability sources through sites such as Shodan, but research has found that they actually use their own tools and technologies, and do not necessarily rely on third-party websites to find access routes.

Hacker behavior analysis:
According to the research results, three characteristics of hacker attack patterns are identified – The ram, The swarm and The hedgehog:

• The ram is a strategy set to crack the administrator password. For example, an attacker tried 109934 times to log in honeypots in Ireland within 10 days. Finally, they needed only three user names to successfully access the platform.
• The swarm will make use of the sequential user name and the most common passwords with limited digits. For example, an attacker attempts to log in to the honeypots in Paris for 9 times with the user name “ABrown” within 14 minutes, then switch to “BBrown”, “CBrown” , “DBrown”, and so on, and then use “A.Mohamed”, “AAli”, “ASmith” to repeat the above heuristic mode with other user names.
• The hedgehog starts a large number of attacks first, following by a long static time. For example, the honeypots in Brazil can see that each attack peak comes from the same IP address. That takes about 4 hours, including 3,369 to 5,199 password guesses.

Today, more than 3 million devices worldwide are accessible through RDP and have become the focal point of cybercriminals’ attacks. These attackers almost have given up on using other methods, but only cracked RDP password by brute force to successfully invade the enterprises. As all honeypots were exposed to the Internet due to RDP and were discovered by attackers within hours, enterprises must minimize the use of RDP features and ensure that password management within the enterprises is effective. Also, enterprises must tailor their security protocols to withstand endless cyber attacks. Patch your older Windows PCs to prevent the serious vulnerability.

Published by & last updated on August 5, 2019 3:28 am