As more companies go to a remote workforce due to COVID-19, IT departments everywhere are rearchitecting their environments on the fly while often navigating uncharted waters.
Now that we have aggregated a few weeks of customer data from the Arctic Wolf platform since the situation began, we’d like to share what we’re seeing across our customer base to provide a better understanding of how work-from-home (WFH) policies impact the exposure of organizations as a whole.
The Dangers of Remote Desktop Protocol
One very alarming trend is that the use of the Remote Desktop Protocol (RDP) for managing remote laptops has increased by 62 percent over the last month as organizations shift to WFH scenarios. This is risky, because RDP has a history of security issues and publicly disclosed vulnerabilities and many organizations are slow to patch their systems for known exploits.
A recent blog post from Shodan—the company that crawls the internet 24/7 to provide the latest internet intelligence—examined trends in internet exposure that validates this trend on a more global scale According to its founder, John Matherly:
"The number of devices exposing RDP to the Internet has grown significantly over the past month (41.5%) which makes sense given how many organizations are moving to remote work."
A common tactic many IT departments use to protect against RDP attacks is deploying the insecure service on a non-standard port in hopes of obscuring it from detection. We took a look at what this behavior looks like across our customer base, examining the activity of devices exposing RDP to the internet through a commonly used alternate port (3389):
Figure 1: Use of RDP on Port 3389 over time from the Arctic Wolf Platform
Our chart also displays a roller coaster of spikes and declines in RDP activity due to two major factors. First, a rapid increase in December following the announcement of a major vulnerability on the Citrix platform. Next, a significant decline as Microsoft announced an RDP vulnerability which had IT managers looking for remote desktop alternatives.
How Cybercriminals Take Advantage
There are a number of malicious activities that an attacker can deploy when they have control of a server or a workstation, such as clearing log files, disabling security software, or exfiltrating data from the server.
Most notably, a vulnerability known as BlueKeep—which gained attention in 2019—could allow an attacker to remotely control a PC if the device was not properly patched. That same vulnerability was leveraged in similar ways to spawn the highly publicized WannaCry ransomware attacks.
What You’ll Need to Do
If you use RDP to manage your remote workforce, make sure you run the most current version and have applied the most recent critical security updates from Microsoft. This isn’t always as easy as it sounds.
As remote workers move away from your trusted network, the broad visibility required to create actionable insights for cybersecurity can be limited, which leaves you exposed to potential exploits. If you’re an IT manager, you may be too overwhelmed with alert and the day-to-day operations of the business during this uncertain time to actively detect threats or critical vulnerabilities.
Arctic Wolf’s team of security experts is here to help you monitor your changing environment 24x7, triage critical threats, and use our unique knowledge of your environment to tailor security outcomes directly to your business.
If you're looking for further information on how to effectively manage work from home scenarios, check out some of our related resources:
- Arctic Wolf is Keeping your Remote Workforce Secure
- Arctic Wolf Managed Risk
- Webinar: Cybersecurity for Your Suddenly Remote Workforce