Protect Workloads Utilizing RDP in AWS from Common Brute Force Attacks
Businesses are rushing to scale up existing workloads and bring to market new solutions to help support the growing remote workforce. Meanwhile, hackers are shifting their attention to these same systems. For instance, to the application-level protocol for accessing Windows workstations or servers: RDP (Remote Desktop Protocol).
In fact, according to researchers at Kaspersky, the number of brute-force attacks against exposed RDP services have skyrocketed around the world since the beginning of March 2020.
Growth in the number of RDP brute-force attacks (Source: Kaspersky)
With brute force attacks, hackers systematically try all possible options for the RDP username and password, until they are able to login. They often use previously leaked password records, or try different combinations of random characters (did you change your password after the Sunburst attack?). Once they land on the correct username/password combination, they gain remote access to the target system in the network.
The researchers at Kaspersky explained:
“…brute-force attackers are not surgical in their approach, but operate by area. As far as we can tell, following the mass transition to home working, they logically concluded that the number of poorly configured RDP servers would increase, hence the rise in the number of attacks.”
It is important to note that remote desktop protocol is not the only thing to worry about in public cloud environments. The similar VNC protocol has been found to have 37 vulnerabilities in various clients, as researched by Kaspersky.
For those of you hosting workloads utilizing RDP in Amazon Web Services (AWS), you can leverage tools such as CloudGuard’s Dynamic Access Lease feature to secure yourself. Instead of attaching a security group to the instance with an inbound rule that allows RDP access, Dynamic Access Lease allows AWS cloud servers and other resources to be almost hermetically closed. It opens tiny security “holes” for certain activities only when necessary and provides a full audit trail of all access and changes to the resource.
How Dynamic Access Leasing Works
Access is granted to specific users to resources through specific Service Groups (for example, SSH, Remote Terminal, or RDP). The Lease is a one-time access contract for a designated user to a service, for a given period of time.
Users can activate leases for specific IP/CIDRs in the client, or via an emailed link. When the Dynamic Access email recipient clicks on the link, an Access Lease is activated from the recipient’s current public IP address (/32) for the specific service(s) or port(s) specified in the lease. Activation of the lease triggers the creation of one temporary Security Group Inbound Access Rule for each inbound port or continuous port range selected for Dynamic Access.
How Dynamic Access Leasing Can Protect Against Brute Force Attacks
In essence, using Dynamic Access Leasing enables users to close off sensitive resources in the cloud. Using RDP as an example, there is no need for a rule in the Window server’s security group that leaves the server open by RDP. Instead, with Dynamic Access, the rules are added only for the specific IP address used by the necessary employee, for a limited amount of time. Once the access lease expires, this rule is automatically removed.
This makes it so that even if attackers are able to brute force your username/password login to the RDP service, they cannot gain access to the Windows server because they are not connecting from your specific IP address. In addition, any access to the server will be audited, so that you can see exactly who is connecting to the server. Access Leases reduce the scope of attack, by minimizing the list of possible IP addresses from the whole world to a smaller group. It also reduces the success rate of brute force attacks, by dramatically reducing the time an attacker or bot can find your available RDP service.
This is just one tooling example of how to stop a Brute Force attack, but there are several tools on the market. The key is to find the best tool that works automatically across your cloud environments to prevent attacks, so that you are not the next victim.