TNS
VOXPOP
How has the recent turmoil within the OpenAI offices changed your plans to use GPT in a business process or product in 2024?
Increased uncertainty means we are more likely to evaluate alternative AI chatbots and LLMs.
0%
No change in plans, though we will keep an eye on the situation.
0%
With Sam Altman back in charge, we are more likely to go all-in with GPT and LLMs.
0%
What recent turmoil?
0%
Cloud Services / Security

Protect Workloads Utilizing RDP in AWS from Common Brute Force Attacks

The number of brute-force attacks against exposed RDP services have skyrocketed around the world since the beginning of March 2020.
Apr 1st, 2021 12:00pm by
Featued image for: Protect Workloads Utilizing RDP in AWS from Common Brute Force Attacks
Feature image via Pixabay.

Businesses are rushing to scale up existing workloads and bring to market new solutions to help support the growing remote workforce. Meanwhile, hackers are shifting their attention to these same systems. For instance, to the application-level protocol for accessing Windows workstations or servers: RDP (Remote Desktop Protocol).

In fact, according to researchers at Kaspersky, the number of brute-force attacks against exposed RDP services have skyrocketed around the world since the beginning of March 2020.

Growth in the number of RDP brute-force attacks (Source: Kaspersky)

Maya Levine
A dedicated and analytical security engineer, Maya is Technical Marketing Engineer at Check Point Software, focusing on cloud technologies. She has deep technical knowledge in multiple domains (security, software engineering, cloud), matched with an earnest and concise communication style that connects to both technical and business audiences.

With brute force attacks, hackers systematically try all possible options for the RDP username and password, until they are able to login. They often use previously leaked password records, or try different combinations of random characters (did you change your password after the Sunburst attack?). Once they land on the correct username/password combination, they gain remote access to the target system in the network.

The researchers at Kaspersky explained:

“…brute-force attackers are not surgical in their approach, but operate by area. As far as we can tell, following the mass transition to home working, they logically concluded that the number of poorly configured RDP servers would increase, hence the rise in the number of attacks.”

It is important to note that remote desktop protocol is not the only thing to worry about in public cloud environments. The similar VNC protocol has been found to have 37 vulnerabilities in various clients, as researched by Kaspersky.

For those of you hosting workloads utilizing RDP in Amazon Web Services (AWS), you can leverage tools such as CloudGuard’s Dynamic Access Lease feature to secure yourself. Instead of attaching a security group to the instance with an inbound rule that allows RDP access, Dynamic Access Lease allows AWS cloud servers and other resources to be almost hermetically closed. It opens tiny security “holes” for certain activities only when necessary and provides a full audit trail of all access and changes to the resource.

How Dynamic Access Leasing Works

Access is granted to specific users to resources through specific Service Groups (for example, SSH, Remote Terminal, or RDP). The Lease is a one-time access contract for a designated user to a service, for a given period of time.

Users can activate leases for specific IP/CIDRs in the client, or via an emailed link. When the Dynamic Access email recipient clicks on the link, an Access Lease is activated from the recipient’s current public IP address (/32) for the specific service(s) or port(s) specified in the lease. Activation of the lease triggers the creation of one temporary Security Group Inbound Access Rule for each inbound port or continuous port range selected for Dynamic Access.

How Dynamic Access Leasing Can Protect Against Brute Force Attacks

In essence, using Dynamic Access Leasing enables users to close off sensitive resources in the cloud. Using RDP as an example, there is no need for a rule in the Window server’s security group that leaves the server open by RDP. Instead, with Dynamic Access, the rules are added only for the specific IP address used by the necessary employee, for a limited amount of time. Once the access lease expires, this rule is automatically removed.

This makes it so that even if attackers are able to brute force your username/password login to the RDP service, they cannot gain access to the Windows server because they are not connecting from your specific IP address. In addition, any access to the server will be audited, so that you can see exactly who is connecting to the server. Access Leases reduce the scope of attack, by minimizing the list of possible IP addresses from the whole world to a smaller group. It also reduces the success rate of brute force attacks, by dramatically reducing the time an attacker or bot can find your available RDP service.

This is just one tooling example of how to stop a Brute Force attack, but there are several tools on the market. The key is to find the best tool that works automatically across your cloud environments to prevent attacks, so that you are not the next victim.

Group Created with Sketch.
TNS owner Insight Partners is an investor in: Pragma.
THE NEW STACK UPDATE A newsletter digest of the week’s most important stories & analyses.