Cortex Xpanse and Ransomware Deployment Protocol (RDP)
Ransomware is a thorn in the side of any security engineer. These types of attacks have been increasing as of late and Remote Desktop Protocol (RDP) has been found to be the most popular initial attack vector. Even though RDP really means Remote Desktop Protocol, it's become apparent that it might as well be called "Ransomware Deployment Protocol."
You likely already know about RDP—and the fact that Microsoft Windows uses this protocol to allow users to remotely connect and control a remote system. The problem with RDP is that it's very easy to expose unintentionally, thus leaving a door open for bad actors.
Palo Alto Networks' Unit 42 studied data from over 1,000 incidents and found in 50% of ransomware deployment cases, RDP was the initial attack vector. The details can be read in the 2020 Unit 42 Incident Response and Data Breach Report.
Attackers are always looking for ways into any machine on the internet. Usually nmap (network mapper) is used to scan for open ports—namely port 3389, which is the default RDP port that is left open.
This graph shows ports that attackers scan for looking for ways into any target
According to Cortex Xpanse research, attackers can scan the entire internet in just 45 minutes. So, if RDP is exposed, it will be found—and there are multiple ways an attacker can get in, including:
- Use stolen credentials to login
- Brute force the login (if the implementation allows unlimited login attempts)
- Perform a man-in-the-middle attack, if it’s an outdated version of RDP or using flawed encryption
- Exploit known vulnerabilities in older versions of RDP, such as BlueKeep
For more detailed information about how Cortex Xpanse can be used to help with RDP, please be sure to read Diagnosing the Ransomware Deployment Protocol (RDP).
To learn more about risks to your attack surface, download the 2021 Cortex Xpanse Attack Surface Threat Report.
Don't forget to visit the LIVEcommunity Cortex Xpanse page to participate in any Xpanse discussions, watch videos, read articles and have access to Cortex Xpanse resources dedicated to Xpanse.
Thanks for taking time to read my blog.
If you enjoyed this, please hit the Like (thumb up) button, don't forget to subscribe to the LIVEcommunity Blog area.
As always, we welcome all comments and feedback in the comments section below.
End of line