In May we were already reporting about security vulnerability in Microsoft RDP (BlueKeep), which has great potential for damage. In the meantime, this vulnerability has been studied extensively by security specialists and very detailed descriptions exist. As a result of this vulnerability, Microsoft apparently audited the code for RDP and discovered other vulnerabilities (CVE-2019-1181, CVE-2019-1182) that have similar potential to cause damage. In this article, you will learn what these are and what immediate measures you should take.
Two words make hackers and security specialists sit up and take notice of the new vulnerabilities: Remote Code Execution and Pre-Auth. Why? Because the vulnerabilities can be exploited without prior authentication, and any code can be run on the target system, the security vulnerabilities can be exploited to the full. Just like in May, these gaps have potential for a worm, similar to WannaCry, NotPetya or BlueKeep. Microsoft released security patches for these vulnerabilities, so it's probably a matter of days or weeks before they are reconstructed (reverse engineering) and an exploit is available.
Recommendations for dealing with RDP
Because of the new loopholes in the popular Microsoft RDP service, we have put together some recommendations for you on how to use RDP:
Only run the RDP service if you absolutely need to, or better yet, disable RDP wherever it is not absolutely necessary to remotely manage systems.
No RDP systems at the perimeter
Make sure that the Microsoft RDP service is not accessible from the Internet. We recommend using a firewall rule on the perimeter that blocks port 3389/TCP. In addition to the security loopholes, weak passwords on RDP services on the perimeter are often the reason for the entire company network being infected, for example with the Ransomware Ryuk or Megac0rtex.
There are now large botnets that are only searching for weak RDP passwords. If you provide customer services via RDP or have to perform remote maintenance tasks on the Internet via RDP, we strongly recommend that in addition, you secure the connection with a VPN.
Activate Network Level Authentication
If you are unable to disable RDP under any circumstances, you should enable NLA (Network Level Authentication). This provides partial protection, as the attacker can only run the malicious code following successful authentication.
Install Microsoft patches
Not only the systems on the perimeter represent a danger, but also all internal systems that have activated RDP. The reason for this is obvious. It can be predicted that viruses will soon use such gaps to move laterally through the network. This is why you should protect your systems as soon as possible with the patches made available by Microsoft: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1182https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1182
Use complex passwords
For systems on which RDP is enabled, use complex passwords. There are already botnets that automatically test combinations of company names, annual figures, etc. So having a weak password means that it is only a matter of time before an attacker has gained access to the systems.
The same applies here as for all security gaps – you need to respond quickly and not wait until something happens. By using RDP securely, you can protect your business more effectively from both targeted and opportunistic attacks.
When the heat's on – Incident Response Retainer
A cyber attack can hit any business. Our Incident Response Retainer is the ideal solution when you need to be prepared and to act quickly, efficiently and effectively in an emergency – 24/7.
- Support from our experienced Computer Security Incident Response Team (CSIRT)
- Detect and isolate the attacker as quickly as possible
- Comprehensive damage analysis by security experts from our Swiss Cyber Defence Center
- Support in restoring normal operations
- Guarantee of the obligation to report a security incident; according to GDPR within 72 hours
Interested? Find out more about our Incident Response Retainer here: