Remote Desktop Attacks – Ransomware Entry
1. Introduction and Objectives
In this article, we will briefly explain the methodology employed by certain criminal groups to gain access to computer systems by exploiting their Remote Desktop Services (RDP). This methodology for installing various types of malware has been observed in a large number of forensic analyses of ransomware attacks, and it’s not surprising considering the ease and nature of exploitation, as we will see throughout this article.
To follow along, you will need to have at least basic knowledge of brute force tools and exploit launching. We will be using Kali Linux as the attacking machine.
2. What does a Remote Desktop (RDP) attack entail?
A Remote Desktop Protocol (RDP) attack involves exploiting vulnerabilities in the RDP protocol, either through various exploits like “Bluekeep” or via brute force methods. While the majority of RDP intrusions are carried out using brute force techniques, cybercriminals sometimes utilize credentials obtained from exploited databases or directly search for leaked database credentials.
This way, an attacker gains access to the victim’s remote desktop, executing commands that could alter antivirus functions, introduce tools for network analysis, capture credentials, or other sensitive information. These actions pave the way for further exploitation of the organization’s systems and more.
3. Which APT groups employ RDP attacks in their TTPs?
Nowadays, organized groups known as Advanced Persistent Threats (APT) constantly engage in offensive actions in cyberspace. To carry out their organized attacks, they employ command and control (C2) infrastructures through which they execute various Tactics, Techniques, and Procedures (TTPs) to ultimately achieve their objectives, such as ransomware distribution, among others.
Within different APT groups, several of them are known to utilize Remote Desktop Protocol (RDP) exploitation as part of their TTPs. They use this method to penetrate systems, perform lateral movement within the compromised organization, or enable RDP to establish persistence on the victim’s machine, among other actions. Some of these APT groups can be observed here.
4. Exploiting RDP on a Windows 2008 Server R2 machine
In this section, we will begin the exploitation of the Remote Desktop Service running on a machine with Windows 2008 Server R2 operating system, with the IP address 192.168.153.131.
For the purpose of these proof-of-concept (PoC) tests, we have chosen this machine due to the fact that, after conducting numerous forensic analysis services, we have concluded that it is one of the most commonly compromised machines by criminal groups through the exploitation of the Remote Desktop Service, whether directly or indirectly.
As an interesting note, it’s worth mentioning that in several cases of intrusions via RDP, it has been determined that cybercriminal groups have gained access to different victim systems by exploiting the “MS17-010” vulnerability associated with the SMB protocol (port 445) using publicly available exploits like “Eternalblue“. Once the intrusion was established, they changed the access credentials of certain local users and then proceeded to access the victim machine through the Remote Desktop Service on port 3389.
The intrusions described in the previous paragraph were carried out by cybercriminal groups after conducting massive IP address scans in search of port 3389, which is the default port for the Remote Desktop Service (RDP) on Windows systems.
In our Introduction to Cybersecurity course, we demonstrate a chained attack of this nature, wherein an intrusion is carried out on a machine running Windows 7.
a) Exploit BlueKeep CVE-2019-0708
In this PoC, we will verify if the target machine is vulnerable to the CVE-2019-0708 vulnerability, which is the latest known Remote Desktop vulnerability in Microsoft systems, allowing for remote code execution.
As we can see in the above image, the service is vulnerable. In this simple manner, we can conclude that the service should be updated or disabled to prevent attackers from compromising the machine.
b) Dictionary Brute Force Attack
As we mentioned in previous sections, this is the most common type of attack used to exploit these types of services. This attack basically involves searching for weak and default credentials that the attacker can leverage to perform subsequent intrusion.
Next, we are going to proceed with a dictionary brute force attack on the RDP protocol, port 3389, using the tool “Lazy-RDP” (https://github.com/getdrive/Lazy-RDP). Once the tool is installed, we run it and proceed to configure the various requested parameters as seen in the following images.
Once the brute force attack is complete, we can see how the tool provides us with information that a valid access credential has been found (administrator:Admin1234), and it directly exports it to the “good” text file.
At this point, we proceed to connect via Remote Desktop to the victim machine using the credentials reported by Lazy-RDP.
As we can see, we have successfully entered the victim machine through its Remote Desktop service.
c) Actions on Objectives
It is at this point that cybercriminals begin to carry out their actions on the compromised machines, with the aim of infecting as many storage units and systems within the organizational network as possible.
Various cases of ransomware attacks and other types of malware follow the same modus operandi, even if they are carried out by different criminal groups. Typically, once the attacker gains access to a victim machine through RDP, they proceed to execute the following steps in the indicated order:
- Modification of the functions of the installed antivirus on the victim machine or its removal, depending on the privileges obtained within the system.
- Introduction of different tools for network traffic monitoring and analysis, port and service scanning to identify other machines on the network, etc.
- Introduction and execution of ransomware to carry out data encryption on all accessible storage units and systems.
- Covering tracks. Sometimes, the ransomware itself handles privilege escalation, backup deletion, and removal of security event logs.
In an upcoming article, we will delve deeper into the analysis of a specific ransomware to explore its functions in more detail.
In this article, we have briefly explored the methodology employed by certain criminal groups to infiltrate computer systems by exploiting their Remote Desktop Services (RDP).
Through this, we have gained insights into how various RDP attack types are executed, either through exploiting outdated services or by taking advantage of the vulnerability resulting from weak or default access credentials.
In this manner, a cybercriminal group can perform intrusions that facilitate the distribution of their malware (ransomware, trojans, etc.) and allow them to seize and/or exfiltrate data from business organizations. This poses significant challenges regarding compliance with the General Data Protection Regulation (GDPR) for the victims of the cyberattack.
For those interested in gaining introductory knowledge in ethical hacking, our basic ethical hacking course is available. Alternatively, for those seeking more advanced insights into offensive cybersecurity, our advanced course is also an option.