COVID-19 Telework Introduces New Cyber Threats
Related to RDP
The COVID-19 pandemic and its forced shift to telework has created a number of security challenges for organizations. For a company accustomed to most or all of its employees working on-site, supporting and securing a mostly or wholly remote workforce can be quite a challenge.
As a result of the forced shift to telework, many organizations are using the Remote Desktop Protocol (RDP) to allow employees to control their office computers from home. However, this has exposed these systems to attack. Organizations must put security solutions in place to protect company-owned machines, and should deploy honeypots to collect information about how they are being attacked, enabling them to prioritize defensive efforts.
The Need for RDP with COVID-19
During the COVID-19 pandemic, a large number of companies rapidly transitioned most or all of their workforce to telework within a matter of weeks. Many organizations lacked a formal telework program or only had a fraction of employees teleworking at any given time. As a result, these organizations were unprepared to securely support such a large remote workforce.
One of the issues associated with this sudden transition to remote work is the fact that many employees did not have corporate-owned laptops configured for remote work. As a result, many of these employees were working on personal devices. However, many employees require specialized applications for their work that would be expensive or impossible to install on these personal devices.
RDP provided a solution to this issue. Rather than installing a wide range of software on employees’ devices, all an organization needed to do to enable employees to work from home was to allow RDP connections through the company firewall. RDP allowed the teleworkers to remotely control their company-owned computers in their on-site offices (which had all necessary software and data available to them) from their personal device at home.
The Challenge of Securing RDP
The use of RDP enabled teleworkers to work effectively from home; however, it also created potential security issues. The increased use of RDP by teleworkers meant that more organizations had it installed and accessible from outside their internal network. This created a large target for cybercriminals.
RDP is designed to provide a remote worker with a similar experience to working from their desk. An employee can log in with their normal user credentials and control the remote machine from their local machine.
The problem with this setup is that the security of the organization now relies upon the password strength of employees’ corporate logins. Password security has been a long-time problem for corporate cybersecurity. A high percentage of employees use passwords that are designed to meet the letter of corporate password security policies while ignoring its spirit. These seemingly strong passwords – which include keyboard patterns, common words or names with character substitutions (@ for a, etc.), and appending numbers and symbols to the end of a weak password – are well-known to cybercriminals and easily guessable with password cracking tools.
Employees that reuse passwords across both personal and business accounts, which is true for 62% of employees, create security risks as well. Data breaches and phishing attacks geared at harvesting login credentials have become common. Cybercriminals routinely try credentials associated with one account against other ones. As a result, the security of an employee’s company computer – now exposed via RDP to the public Internet – may depend on the security of every other site sharing that set of login credentials and the employee’s susceptibility to phishing attacks.
The Rise of RDP Attacks During COVID-19
The increased use of RDP in response to COVID-19 has created a perfect opportunity for cybercriminals and a significant challenge for security teams. Differentiating between an employee logging in to their computer via RDP and a cybercriminal doing the same can be difficult or impossible. As a result, it is logical for cybercriminals to take advantage of the situation and attempt to gain access to company environments via RDP.
During the COVID-19 pandemic, cybercriminals have certainly done so. In the second week of April 2020, the number of attacks attempting to brute force user login credentials via RDP within the US was six to seven times the normal amount.
This represents a serious threat to an organization’s cybersecurity. In general, an attacker gaining access to devices inside the corporate perimeter is a data security problem since it is possible to use this foothold to gain access to data and company resources using the compromised user account. However, RDP is also a favorite tool of cybercriminals for planting ransomware, meaning that attacks could also incorporate a Denial of Service (DoS) component.
Detecting and Protecting Against RDP Attack Campaigns
For some organizations, the use of RDP or similar protocols is a necessity during COVID-19. That being said, it is possible to reduce the risk associated with these protocols by only allowing access to RDP via a corporate virtual private network (VPN) and implementing secure authentication solutions such as strong password policies and multi-factor authentication (MFA).
However, the ability to know if an organization is currently being targeted by a certain type of attack can be useful for prioritizing defenses. This is where honeypots become invaluable. By deploying a honeypot with RDP exposed to the Internet, an organization can determine if they are actively being targeted by an attacker and, potentially, the lists of usernames and passwords being used in the attack.
