For the last two months the infosec world has been waiting to see if and when criminals will successfully exploit CVE-2019-0708, the remote, wormable vulnerability in Microsoft’s RDP (Remote Desktop Protocol), better known as BlueKeep. The expectation is that sooner or later a BlueKeep exploit will be used to power some self-replicating malware that spreads around the world (and through the networks it penetrates) in a flash, using vulnerable RDP servers.
In other words, everyone is expecting something spectacular, in the worst possible way.
But while companies race to ensure they’re patched, criminals around the world are already abusing RDP successfully every day, in a different, no less devastating but much less spectacular way.
Many of the millions of RDP servers connected to the internet are protected by no more than a username and password, and many of those passwords are bad enough to be guessed, with a little (sometimes very little) persistence. Correctly guess a password on one of those millions of computers and you’re into somebody’s network.
It isn’t a new technique, and it sounds almost too simple to work, yet it’s popular enough to support criminal markets selling both stolen RDP credentials and compromised computers. The technique is so successful that the criminals crippling city administrations, hospitals, utilities and enterprises with targeted ransomware attacks, and demanding five- or six-figure ransoms, seem to like nothing more.
Noting the popularity of RDP password guessing in targeted ransomware attacks, Sophos’s Matt Boddy and Ben Jones (who you may have heard on the Naked Security podcast) set out to measure how quickly an RDP-enabled computer would be discovered, and just how many password guessing attacks it would have to deal with every day.
They set up 10 geographically dispersed RDP honeypots and sat back to observe. One month and over 4 million password guesses later they switched off the honeypots, just as CVE-2019-0708 was announced.
The low interaction honeypots were Windows machines in a default configuration, hosted on Amazon’s AWS cloud infrastructure. They were set up to log login attempts while ensuring attackers could never get in, giving the researchers an unhindered view of how many attackers came knocking, and for how long, and how their tactics evolved over the 30-day research period.
The first honeypot to be discovered was found just one minute and 24 seconds after it was switched on. The last was found in just a little over 15 hours.
Between them, the honeypots received 4.3 million login attempts at a rate that steadily increased through the 30-day research period as new attackers joined the melee.
While the majority of attacks were quick and simple attempts to dig out an administrator password with a very short password list, some attackers employed more sophisticated tactics.
The researchers classified three different password guessing techniques used by some of the more persistent attackers and you can read more about them — the Ram, the Swarm, and the Hedgehog — in the whitepaper.
What to do?
RDP password guessing shouldn’t be a problem it isn’t new, and it isn’t particularly sophisticated – and yet it underpins an entire criminal ecosystem.
In theory, all it takes to solve the RDP problem is for all users to avoid really bad passwords. But the evidence is they won’t, and it isn’t reasonable to expect they will. The number of RDP servers vulnerable to brute force attacks isn’t going to be reduced by a sudden and dramatic improvement in users’ password choices, so it’s up to sysadmins to fix the problem.
While there are a number of things that administrators can do to harden RDP servers, most notably two-factor authentication, the best protection against the dual threat of password guessing and vulnerabilities like BlueKeep is simply to take RDP off the internet. Switch off RDP where it isn’t absolutely necessary, or make it accessible only via a VPN (Virtual Private Network) if it is.