source : gbhackers
A Microsoft Windows component, RDP was designed to provide administrators, engineers, and users with remote access to systems. However, threat actors have been using the technology for nefarious purposes, and the trend continues, especially since an RDP attack is usually more difficult to detect than a backdoor.
“Threat actors continue to prefer RDP for the stability and functionality advantages over non-graphical backdoors, which can leave unwanted artifacts on a system.”
These allow attackers to establish a connection with a remote server blocked by a firewall and abuse that connection as a transport mechanism to “tunnel” local listening services through the firewall, thus rendering them accessible to the remote server.
Network tunneling and port forwarding take advantage of firewall “pinholes” (ports not protected by the firewall that allow application access to a service on a host in the network protected by the firewall) to establish a connection with a remote server blocked by a firewall.
Once a connection has been established to the remote server through the firewall, the connection can be used as a transport mechanism to send or “tunnel” local listening services (located inside the firewall) through the firewall, making them accessible to the remote server (located outside the firewall).
One utility used to tunnel RDP sessions is PuTTY Link, or Plink, which allows attackers to establish a secure shell (SSH) network connections to other systems. With many IT environments either not inspecting protocols or not blocking SSH communications outbound from their network, attackers can use the tool to create encrypted tunnels and establish RDP connections with the command and control (C&C) server.
How it works?
Inbound RDP Tunneling , a common utility used to tunnel RDP sessions is PuTTY Link, commonly known as Plink.
Jump Box Pivoting
Not only RDP is the perfect tool for accessing compromised systems externally, but RDP sessions can also be daisy chained across multiple systems as a way to move laterally through an environment.
FireEye has observed threat actors using the native Windows Network Shell (netsh) command to utilize RDP port forwarding as a way to access newly discovered segmented networks reachable only through an administrative jump box.
“For example, a threat actor could configure the jump box to listen on an arbitrary port for traffic being sent from a previously compromised system. The traffic would then be forwarded directly through the jump box to any system on the segmented network using any designated port, including the default RDP port TCP 3389,”
Prevention of RDP Tunneling
If RDP is enabled, threat actors have a way to move laterally and maintain presence in the environment through tunneling or port forwarding. To mitigate vulnerability to and detect these types of RDP attacks, organizations should focus on both host-based and network-based prevention and detection mechanisms.
- Remote Desktop Service: Disable the remote desktop service on all end-user workstations and systems for which the service is not required for remote connectivity.
- Host-based Firewalls: Enable host-based firewall rules that explicitly deny inbound RDP connections.
- Local Accounts: Prevent the use of RDP using local accounts on workstations by enabling the “Deny log on through Remote Desktop Services” security setting.