Security leaders say that while ransomware gangs have adopted VPN bugs as part of their arsenal, the RDP trick remains their top implemented practice
Organizations across the world complained of security breach incidents during the pandemic lockdown. It was noted that hackers had increased the attacks on secure VPNs as well. Despite this, the highest mode to breach enterprise networks remains vulnerable remote desktop protocol endpoints.
CIOs point out that in standard scenarios, ransomware groups have different operations depending on their skill set; however, most of the attacks during the pandemic were launched by a limited number of intrusion methods perfected by gangs for the pandemic scenario. The most popular methods used by hackers include email phishing, manipulation of corporate VPN appliances, and unprotected RDP endpoints.
Remote Desktop Protocol
As per Zdnet.com, multiple reports put RDP as the top intrusion method used by hackers and the most significant source of ransomware attacks. Leading security organization Emsisoft released a guide for organizations on how to protect RDP endpoints from ransomware attacks.
RDP is used by nefarious actors to access Windows computers on an enterprise network and deploy malware, ransomware, etc. Spear phishing and insecure RDP have preferred ways to install ransomware. Password guessing, unpatched RDP and SSH issues were other common ways used by hackers.
In previous attacks, CIOs say that Ragnar Locker Group manipulated vulnerabilities in managed service providers or Windows RDP to gain illegal access to targeted enterprise networks. Maze ransomware gangs manipulated spam mails, kits, and remote device connections with weak passwords to gain a foothold.
CISOs clarify that many organizations misunderstood the increased RDP attacks as a result of a remote work environment due to pandemic lockdown. The technique has been the favored intrusion vector for hackers since 2019 when the hackers suddenly stopped targeting SMEs and home clients and moved in total to targeting prominent organizations instead.
In the current scenario, RDP is considered the best way to connect remote systems by enterprises. Many devices with RDP ports are currently left unsecured online. As a result, RDP is the primary attack vector for not only ransomware hackers but any cybercriminal.
Nefarious actors have taken to scanning the online space for vulnerable RDP endpoints and launching brute-force campaigns against them. It is more or less done to gain access to the credentials of the endpoints. Often endpoints with weak passwords and usernames are compromised and easy to hack.
Such compromised username-password combos are then available for sale on the “RDP shops.” Cybercrime groups get access to the endpoint credentials from such “shops,” which have existed for years.
Security leaders say that many of the “RDP shops” have shut down the front to collaborate exclusively with ransomware gangs. Some shops have even transactions with Ransomware-as-a-Service (RaaS) portals as a measure to individually monetize their collection of hacked RDP network.
VPN devices as the new RDPs
Various liabilities were uncovered in Virtual Private Networks (VPNs) deployed widely by enterprises in recent times. Hacker groups took advantage of the released proof-of-concept exploit code and manipulated the bugs to gain unauthorized access to the organizational networks.