Without the use of social engineering, malware authors can attack and gain access to privileged information. This poses a greater threat in time when everyone is working from home.
As the world is preparing to go into the remote mode, malware authors are seeing an opportunity to compromise the systems under their radar. Using the Remote Desktop Protocol (RDP), the attackers can access a previous session and execute the malware on each of them.
RDP is a feature built-in the Windows OS, that helps system administrators to manage systems and to help users with troubleshooting an issue. However, often this convenient way of troubleshooting a system opens a doorway for attackers for exploitation.
One of the well-known ransomware worms known as WannaCry can identify remote desktop sessions in an attempt to hijack RDP sessions and execute the malware on each of them. Dealing with such challenges on a larger scale can be challenging for an organization, especially when attackers want to get the most of the current pandemic situation.
Attackers can easily breach the network and can inject the malware, without being detected. Even if an organization has an event monitor in place, the activity will show that it is from an authorized user. These depict the challenges that lie ahead in front of organizations.
Following are a few ways that attackers try to use an already running session to breach the network:
Hijacking without using password
To hijack another user’s session, the malware authors require access to the RDP host. The attacker can access an account of a compromised employee of an organization, thereby forming a part of a sophisticated advanced persistent threat (APT) attack.
Meaning, the attacker can also acquire the ability to access the other users’ sessions in the network without ever using any password. Another way the attackers can exploit the system and user session is by using the RDP hijacking utility known as SharpRDPHijack. It is an open-source .NET implementation that allows attackers to access a session without using any credentials.
How it works is, when an attacker decides to connect to a session, it redirects them to an active RDP session. Having said that, such a breach of network security by accessing individual sessions puts the infrastructure of a company at a huge risk. However, there are a few ways that this can be prevented:
Strengthening Group Policy:
Instead of putting the session on dormant mode, the group policy setting of the system should be changed to ‘log off users’ either instantly or shortly after they have disconnected an RDP session. This will ensure that the attacker will not be able to access any session.
Exposure to Network:
To ensure the safety and security of a system, it is best to not expose RDP services and ports to the internet. But, due to the nature of remote administration, an organization has no choice.
However, using Microsoft Remote Desktop Gateway or Azure Multi-Factor server, one can securely connect their session to the internet. Adopting such practices on the Windows-centric IT environment can ensure the system is secure.
RDP hijacking is nothing new, it’s rather an old technique utilized by malware authors to exploit the vulnerabilities of Windows RDP service. There is a vast variety of enterprises that use windows, and so knowing about its practices can help to secure an organization’s environment and infrastructure.