Positive Technologies Experts countedthat in just three weeks (from the end of February 2020) the amount of resources available through RDP increased by 9% and amounted to more than 112,000. Moreover, over 10% of such resources are vulnerable to the BlueKeep problem (CVE-2019-0708), which Allows an attacker to gain full control of a Windows-based computer.
To attack, just send a special RDP request to vulnerable Remote Desktop Services (RDS). Authentication is not required. If successful, the attacker will be able to install and remove programs in a compromised system, create accounts with the maximum level of access, read and edit confidential information. Vulnerabilities are affected by the operating systems Windows 7, Windows Server 2008, and Windows Server 2008 R2.
Today, the Ural Federal District is the leader in terms of growth in the number of nodes opened by RDP: it has increased by 21%, and the total share of nodes vulnerable to BlueKeep is 17%. Next come the Siberian (21% and 16%, respectively), Northwest (19% and 13%), North Caucasus (18% and 17%), South (11% and 14%), Volga (8% and 18% ), The Far East (5% and 14%) and the Central Federal Districts (4% and 11%).
“On the network perimeter of Russian companies, the number of resources has begun to increase, an attack on which will allow attackers to gain control of the server and penetrate the local network,” said Alexey Novikov, director of the Positive Technologies security expert center. – We attribute this, first of all, to the hasty transfer of some of the employees to remote work. Regardless of the selected type of remote connection, it is reasonable to provide remote access through a special gateway. For RDP connections, this is Remote Desktop Gateway (RDG), for VPN – VPN Gateway. Remote connection directly to the workplace is not recommended. ”
Positive Technologies warns that opening access to individual subnets to all VPN users at once significantly reduces the organization’s security and not only gives wide opportunities to an external attacker, but also increases the risk of an insider attack. Therefore, IT professionals need to maintain network segmentation and allocate the required number of VPN pools.
In addition, Positive Technologies recommends paying attention to the critically dangerous vulnerability (CVE-2019-19781) in Citrix software, which is used in corporate networks, including for organizing terminal access for employees to internal company applications from any device via the Internet. If this vulnerability is exploited, an attacker gains direct access to the company’s local network from the Internet. To carry out such an attack, access to any accounts is not required, which means that any external intruder can execute it.