Stop Ransomware Attacks at the Source.

Coveware report: Ransomware Attack Vectors

Secure RDP, Kill the VPN

Everyone knows by now that preventing ransomware is one of the top cybersecurity challenges. Yet most solutions focus on detection once the attack is underway. Wouldn’t it be better to stop ransomware attacks at the source?

In my previous post, I shared our insights on the attacks used against exposed RDP hosts and VPN servers. Most enterprises today are adapting to the new “work from home” reality through widespread deployment of VPNs and Remote Desktops (RDPs). However, as we outlined earlier, attackers exploit these solutions so extensively that it takes an average of 2 minutes for such a target to be attacked.

According to a recently-published report by Coveware, not surprisingly, RDP Compromise is the most common attack vector for ransomware with ~60% of the cases, followed by email phishing and software vulnerabilities.

Coveware report: Ransomware Attack Vectors
Fig. 1: Coveware report: Ransomware Attack Vectors

This data shows that Microsoft RDP is both one of most widely-used remote desktop solutions while also being the most common attack vector for ransomware.

ZTNA Stops Ransomware at its Source

In order to prevent public access, some companies use VPN solutions for further limiting access to RDP hosts but in reality this approach just shifts the attack vectors to VPN servers and cause additional problems. For full technical details, check out “Using RDP together with VPN/MFA gives a false sense of security”.

TransientAccess, on the other hand, offers a simple and highly effective Zero Trust Network Access (ZTNA) solution that alleviates all of the aforementioned problems and stops ransomware at its source because:

1- RDP hosts are NEVER accessible from the internet. Remote access is limited to authenticated users only.

2- Unlike VPNs, no device is joining a private network, hence other PCs in the private network are not visible.

3- Even if the device is infected with Ransomware, malware does not even see the hidden “disposable network” created by TransientAccess.

4- TransientAccess builds a network of applications, not devices. Hence it is natively segmented at the application level.

See the benefits of using TransientAccess to protect RDP Solutions

This short video shows how simple it is to use RDP with TransientAccess. The user doesn’t need to know how to run RDP client itself. Everything is handled automatically for them. Put another way, simple isn’t easy. We’ve done the hard work of making it simple:

Accessing an RDP session with TransientAccess

So why TransientAccess?

Security:

  • ZTNA architecture provides private access to RDP hosts without any publicly exposed elements
  • Even with unmanaged devices or infected machines, RDP sessions are protected against credential-stealing malware or ransomware.
  • Multi-Factor Authentication (MFA) support built-in.

Simplicity:

  • Zero-friction implementation with the simplicity and elasticity of a cloud delivered service.
  • No user education. Users do not even need to know how to use an RDP client. Everything is just one click away. RDP with TransientAccess is EASIER to use than RDP alone.

Low TCO:

  • No need to buy a VPN and MFA service, it’s built in.
  • No need to buy expensive licenses for alternative remote desktop tools like Teamviewer or Logmein

Stop Ransomware Attacks at the Source. Secure RDP and kill the VPN with TransientAccess ZTNA.

Ready to try for yourself? Contact us and we’ll get you set up today.

Using RDP together with VPN/MFA gives a false sense of security

The COVID19 pandemic has caught the world unprepared. Enterprises, from small businesses to Fortune 100 companies have been forced to enable “work from home” in literally a few days. Even companies which have already transformed most of their workflows to the cloud have to keep up with the unexpected demand for services which were NOT designed for the consumption by 100% of the available workforce.

A majority of companies on the other hand seem to be leveraging remote desktop services and VPN based solution architectures to allow their employees to access their workstations from home.

We can see this trend from Shodan.io data. According to Shodan (https://blog.shodan.io/trends-in-internet-exposure/) there is about a 41% increase in RDP (Port 3389) services exposed to the Internet and about 33% increase in VPN servers exposed to the Internet.

Companies have been struggling to securely enable BYOD and remote employee access for over a decade now. In the time of crisis, use of decades old legacy solutions available to them, specifically RDP and VPN based ones, is an expected trend. However, this trend brings significant cybersecurity implications with it.

These solutions inherit all the cybersecurity problems associated with them from the last 20 years.

BRUTE FORCE ATTACKS

Brute force attacks are the attacks where the attackers try to find out the account credentials by trying all possible username and password combinations.

In our experiments, it took 2 minutes, on average, for an exposed RDP host to be a target of a brute force attack.

This literally means, as soon as the PC is booted, it is attacked in the background, even before the user starts working. In order to experiment, we created 15 different windows workstations publicly exposed through Amazon Cloud, Azure, Google Cloud or Verizon Wireless based public IP addresses. We then checked the windows security audit logs for failed login attempts. It took 2 minutes on average for the host to be discovered and attacked. Below is a screenshot of an audit log from one of the PCs. As soon as it is exposed, the attacker, possibly a bot, from Russia, probed it.

Today, password protection alone is as good as no protection. If a PC is exposed to the internet using windows RDP services without additional security measures, it should be assumed attacked and owned already. Because majority of passwords are weak and can be cracked instantly.

Even a relatively “strong” password with 7 letters containing numbers, upper and lower characters and special symbols can be cracked in 17 hrs.

DENIAL OF SERVICE ATTACKS

Denial of service (DoS) attacks require attackers to consume available computing resources so that legitimate users cannot access the requested services. For the companies which use RDP as a solution for their day to day business operations, protection against DoS attacks is critical for their business continuity. Unfortunately, such a protection is not so straightforward to implement when legacy solutions like RDP or VPNs are used. Having most of the workforce on remote desktop services makes “the RDP” a critical component for any company; as critical as industrial control systems.

And keeping in mind the fact that most companies had only a few days to enable remote access, it is safe to assume that they are now vulnerable to a new type of ransomware attack: DoS against their business continuity

Attacking an unprotected host does not require too much from an attacker’s side: 1 mbs traffic is enough to disable a VPN or a Firewall or an RDP host!

A FALSE SENSE OF SECURITY: MFA AND VPN AUGMENTATION

In order to mitigate the cybersecurity risks, some companies couple their RDP based architectures with VPN and MFA (Multi-factor Authentication) solutions.

However, while they might mitigate certain attack vectors, the threats outlined above are not really addressed effectively.

Use of a VPN solution alone does not mitigate the risk of brute-force attacks or DoS service attacks but just moves attackers’ target from RDP host to the VPN server itself, potentially making the impact of a successful attack even worse because VPN servers become a single point of failure.

Use of a multi-factor authentication (MFA) solution mitigates the risk of brute-force attacks however when used to protect access to legacy solutions like VPNs and RDP services they do NOT address the fundamental problem: The authentication happens AFTER connections are established to the protected resources i.e. a VPN server. This unauthenticated connectivity makes the resources vulnerable to a wide range of attacks.

MFA solutions do not address the fundamental problem: The authentication happens AFTER connections are established to the protected resources i.e. a VPN server.

MFA does not protect against DoS attacks to VPN or RDP gateways. But in addition to DoS attacks, it offers no protection against direct exploitation attacks neither. VPN servers, just like RDP services, are direct targets of attackers. Bots are constantly scanning for exposed VPN servers to exploit vulnerabilities in them such as Palo Alto Networks (CVE-2019-1579), Fortinet (CVE-2018-13382CVE-2018-13383CVE-2018-13379), Pulse Secure (CVE-2019-11510CVE-2019-11508CVE-2019-11540CVE-2019-11543CVE-2019-11541CVE-2019-11542CVE-2019-11539CVE-2019-11538CVE-2019-11509), and Citrix (CVE-2019-19781):

Attackers have been hitting companies with these solutions, so that Airbus (using Palo Alto) and Travelex (using Pulse Secure) got breached recently through their exposed VPN servers.

ENABLE SECURE REMOTE DESKTOP ACCESS WITH TRANSIENTACCESS

TransientAccess and the disposable networking technology address all the security problems listed above while enabling remote desktop access services. A disposable network is a hidden and a temporary network built for each user, on demand. It is only exposed to the user for whom it is created and destroyed as soon as the user disconnects from it. More information on the technology can be found at: Disposable Networks. A video about TransientAccess and how it works can be found at https://www.youtube.com/watch?v=LUwG3ufAZFE&t=679s

STOP DENIAL OF SERVICE ATTACKS TO RDP SERVICES

With TransientAccess, resources such as RDP hosts, are not exposed to the internet. Since they are not directly accessible, they are not vulnerable to DoS attacks. While orchestrating access requests, users are pre-authenticated by TransientX cloud first. After such an authentication, a hidden network with the remote host and the user’s device is built for the authenticated user allowing temporary remote access without internet exposure.

STOP BRUTE FORCE ATTACKS TO RDP SERVICES

With TransientAccess, because access to RDP services happen in a hidden disposable network, nothing is exposed to the Internet and hence attackers cannot target the host. TransientAccess cloud employs modern authentication technologies such as integration with authentication providers like Okta or Azure AD. Administrators can also make use of MFA effectively, making the technology work for legacy solutions as well.

WORK FROM HOME SECURELY AND EFFECTIVELY

TransientAccess also provides endpoint data loss prevention (DLP) features specifically designed for unmanaged devices, making it a suitable BYOD solution without any dependency on MDM/MAMs. As part of our social responsibility, we are providing a no-cost subscription for it.