Network tunneling technique is being increasingly used for attackers using RDP
The Remote Desktop Protocol (RDP) is a Windows component designed to provide administrators and users with a remote access path to their systems. According to network security and ethical hacking from the International Institute of Cyber Security report that malicious hackers have been abusing this feature to attack vulnerable systems, because sometimes this kind of attacks can be more difficult to detect than a backdoor.
“Malicious users resort to the use of RDP because of its stability and functionality over a backdoor. We have detected that hackers use the native functions of Windows RDP to connect laterally through systems in compromised environments,” commented the specialists.
According to network security specialists, access to a system via RDP allows attackers to gain persistence, although it depends on an additional attack vector to enter the compromised system, such as a phishing attack, for example. In addition, attackers have increasingly resorted to ‘network tunneling’ and host-based port forwarding.
Because of this, attackers can establish a connection to a remote server blocked by a firewall to exploit that connection and use it as a means of transport to ‘dig a tunnel’ to local services through the firewall.
A utility that is used to channel RDP sessions is Putty Link, or Plink, which allows attackers to establish SSH connections to other systems. According to network security experts, because many environments do not inspect the protocols or block SSH communications that exit their network, attackers can use the tool to create encrypted tunnels and establish RDP connections with C&C.
On the other hand, RDP sessions also allow attackers to move sideways through an environment; attackers can use the native network Shell command in Windows (netsh) to use RDP port forwarding to discover segmented networks.
Host and network-based prevention and detection mechanisms must provide organizations with the necessary defenses to mitigate these kinds of attacks, experts say.
Also, disabling RDP when not in use, enabling firewall rules on host to prohibit incoming RDP connections are helpful tips for reinforcing risk prevention.
On the other hand, at network level administrators must enforce RDP connections from a designated mailbox or central administration server, avoid using privileged accounts for RDP, revise firewall rules to identify port forwarding vulnerabilities and inspecting the content of network traffic.