During monitoring of current threats (threat intelligence), Positive Technologies experts found that the number of network nodes in Russia accessible via Remote Desktop Protocol (RDP) in just three weeks (from the end of February 2020) increased by 9% and to more than 112,000... Already, over 10% of such resources are vulnerable to the BlueKeep security bug (CVE-2019-0708), which allows an attacker to take full control of a Windows-based computer.
For an attack, it is enough to send a special RDP request to the vulnerable Remote Desktop Services (RDS). No authentication is required. If successful, the attacker will be able to install and remove programs on the compromised system, create accounts with the maximum access level, read and edit confidential information. The vulnerabilities affect Windows 7, Windows Server 2008, and Windows Server 2008 R2.
In terms of the dynamics of growth in the number of nodes opened via RDP, the Ural Federal District is currently in the lead: it increased by 21%, and the total share of nodes vulnerable to BlueKeep is 17%. Next come Siberian (21% and 16%, respectively), North-West (19% and 13%), North-Caucasian (18% and 17%), South (11% and 14%), Privolzhsky (8% and 18 %)), The Far East (5% and 14%) and the Central Federal Districts (4% and 11%).
“ On the network perimeter of Russian companies, the number of resources began to increase, an attack on which would allow attackers to gain control over the server and penetrate the local network ,” said Alexei Novikov, director of the Positive Technologies security expert center. - We associate this, first of all, with the hasty transfer of some employees to remote work. Regardless of the type of remote connection you choose, it is wise to provide remote access through a dedicated gateway. For RDP connections, this is Remote Desktop Gateway (RDG), for VPN - VPN Gateway. It is not recommended to use remote connection directly to the workplace . "
Positive Technologies warns that opening access to individual subnets to all VPN users at once significantly reduces the security of the organization and not only provides ample opportunities for an external attacker, but also increases the risk of an attack from an insider. Therefore, IT professionals need to maintain network segmentation and allocate the required number of VPN pools.
Positive Technologies experts separately emphasize the threat of the emergence of remote access channels to business-critical networks and systems (for example, technological networks in manufacturing and in the energy sector, ATM or card processing networks in banks, 1C servers, confidential document flow) ... It is recommended that information security services strictly control the attempts of administrators to simplify management and configuration tasks for such segments by using a separate unsecured connection. Control can be achieved through constant monitoring of the organization's network perimeter, especially its key segments. In addition, it is necessary to strictly regulate the use of software for remote administration (for example, RAdmin or TeamViewer) and monitor cases of their illegal use (for example, on artifacts in traffic using NTA solutions). Also, in the face of changes in the traditional model of behavior of the organization's employees (mass remote access), it is necessary to reconfigure the correlation rules in the systems used for monitoring and protecting against cyber attacks.
In addition, Positive Technologies recommends paying attention to a critical vulnerability (CVE-2019-19781) in Citrix software used in corporate networks, including for organizing terminal access of employees to internal applications of the company from any device via the Internet. If this vulnerability is exploited, an attacker gains direct access to the company's local network from the Internet. To carry out such an attack, access to any accounts is not required, which means that any external intruder can carry out it.
In addition, among the vulnerabilities that require special attention in the face of the increased number of open remote access, are the vulnerability in the desktop protocol CVE-2012-0002 (MS11-065) eight years ago, which still occurs on the network perimeters of organizations, and vulnerabilities in services Remote Desktop CVE-2019-1181 / 1182 in various versions of the Microsoft operating system (including Windows 10). A vulnerability in PHP 7 (CVE-2019-11043), which, according to Positive Technologies, was included in the list of the most dangerous at the end of 2019,should also be eliminated. The presence of the listed vulnerabilities in the company's infrastructure can be quickly identified using vulnerability scanners. To eliminate vulnerabilities in all cases, you must at least follow the appropriate recommendations of the manufacturer of the affected version of the software or hardware.
