Rewterz Threat Alert: RDP Tunneling leading to network security bypass

In the Remote Desktop Services component of Microsoft Windows, the Remote Desktop Protocol can be used by attackers to switch from backdoors to using direct RDP sessions for remote access, once they have gained foothold in a compromised system.

Threat actors may use Network tunneling and port forwarding to take advantage of firewall “pinholes” (ports not protected by the firewall that allow an application access to a service on a host in the network protected by the firewall). The pinholes are used to establish a connection with a remote server blocked by a firewall, which is used as a transport mechanism to send or “tunnel” local listening services (located inside the firewall) through the firewall, making them accessible to the remote server (located outside the firewall).

Attackers also use utilities like Plink to create encrypted tunnels that allow RDP ports on infected systems to communicate back to the attacker command and control (C2) server.

communications being sent through the tunnel using port forwarding from the attacker C2 server.

RDP sessions allow lateral movement in an environment, for which native Windows Network Shell (netsh) command can be used to utilize RDP port forwarding as a way to access newly discovered segmented networks reachable only through an administrative jump box.

For example, a threat actor could configure the jump box to listen on an arbitrary port for traffic being sent from a previously compromised system. The traffic would then be forwarded directly through the jump box to any system on the segmented network using any designated port, including the default RDP port TCP 3389. This way, threat actors can spread across allowed network routes.

IMPACT

Network security bypass

REMEDIATION

• Disable the remote desktop service on all end-user workstations and systems for which the service is not required for remote connectivity.
• Enable host-based firewall rules that explicitly deny inbound RDP connections.
• Prevent the use of RDP using local accounts on workstations by enabling the “Deny log on through Remote Desktop Services” security setting.
• Where RDP is required for connectivity, enforce the connection to be initiated from a designated jump box or centralized management server.
• Employ the “Deny log on through Remote Desktop Services” security setting for privileged accounts (e.g. domain administrators) and service accounts, as these types of accounts are commonly used by threat actors to laterally move to sensitive systems in an environment.