RDP Tunneling also referred to as port forwarding, involves transferring data from a private network to a public one for exclusive use within the private network. It facilitates the transfer of data between different networks by encapsulating communications from private to public networks. This concept bears similarities to VPN, which also operates on tunneling principles, although they are not identical.
Hackers utilizing RDP increasingly resort to network tunneling to bypass security measures.
According to reports, threat actors launching Remote Desktop Protocol (RDP) attacks are increasingly relying on network tunneling and host-based port forwarding to evade network defenses.
Threat actors persist in choosing RDP over non-graphical backdoors due to its stability and functional advantages, which may avoid leaving undesirable artifacts on a system. Consequently, researchers have observed threat actors leveraging native Windows RDP capabilities to establish lateral connections across compromised devices, as noted by the security firm.
While threat actors can establish persistence through RDP access to a system, the initial breach typically requires a distinct attack vector such as phishing. Furthermore, actors are increasingly exploiting network tunneling and host-based port forwarding to gain access to non-exposed systems protected by firewall and NAT rules.
These techniques enable attackers to establish a connection with a remote server blocked by a firewall and then utilize that connection as a transport mechanism to tunnel local listening services through the firewall, allowing access by the remote server.
Host-Based Prevention:
To mitigate the risk of lateral movement and maintain security within the environment, organizations must implement prevention and mitigation mechanisms targeting both host and network-based RDP attacks.
Host-Based prevention refers to the use of devices or software to secure sensitive computer systems containing critical data against viruses and malware from the Internet.
Remote Desktop Sessions:
Remote Desktop sessions operate over encrypted channels, preventing unauthorized access to sessions by monitoring network traffic.
Remote Desktop Service:
Remote Desktop services serve as the preferred platform for creating virtualization solutions for various end-user needs. It is advisable to disable this virtual desktop service on all terminal workstations and systems where remote access is not required.
Host-Based Firewalls:
A host-based firewall is a component of firewall software that operates on individual personal computers or systems. Implement host-based firewall measures to explicitly block inbound RDP connections.
Local Accounts:
Restrict the usage of RDP from local workstation accounts by configuring Remote Desktop Services to protect the environment.
Network-Based Prevention:
Network-Based Prevention involves monitoring and maintaining the confidentiality, integrity, and availability of a network.
Server Availability Cache
Memcache
Jump Lists
Prefetch
System Events
CCM Recently Used Network-Based Protection
Remote Synchronization:
Implement Remote Synchronization protocols to enforce RDP-initiated links from specified jump boxes or centralized management servers in dynamic networks requiring synchronization.
Server Accounts:
Configure protection settings for privileged accounts and server accounts to deny Remote Desktop Services sign-in, as these accounts are often exploited by malicious actors for lateral movement to vulnerable devices.
Network-Based Detection:
Network-Based Detection utilizes devices or software to monitor networks and systems for malicious or unauthorized activity.
Firewall Policies:
Review firewall policies to identify potential risks associated with port forwarding. Additionally, test for internal communication vulnerabilities between workstations. Workstations typically do not require easy connectivity with each other, and firewall rule sets should be employed to restrict such communication unless necessary.
Web Access:
Conduct thorough network traffic inspections to detect anomalies. Not all traffic on a given port appears as expected; for instance, threat actors may utilize TCP port 80 for RDP tunneling with remote servers. Employ deep network traffic analysis to identify and track such activity.
Snort Rules:
Detect tunneled RDP instances by identifying low source ports typically used by other protocols during RDP handshakes within network traffic.
Conclusion:
We offer top-notch and highly secure RDP solutions. Our dedicated support team is committed to assisting you with any challenges you encounter, and our after-sales service is unparalleled. Visit buy-RDP Now.
Organizations can implement both host-based and network-based prevention mechanisms. Host-based prevention involves securing sensitive computer systems against viruses and malware, disabling unnecessary virtual desktop services, and configuring host-based firewalls to block inbound RDP connections.
Organizations can employ network-based detection tools to monitor network and system activity for malicious or unauthorized behavior. This includes analyzing firewall policies, inspecting web traffic for anomalies, and utilizing snort rules to detect low source ports typically used by other protocols during RDP handshakes.
Organizations should regularly review and update their security measures, including firewall configurations, access control policies, and user authentication mechanisms.
RDP Tunneling also referred to as port forwarding, involves transferring data from a private network to a public one for exclusive use within the private network. It facilitates the transfer of data between different networks by encapsulating communications from private to public networks.
Leave a comment