HKCert
Security Blog

Beware of Attacks on Remote Access Services

Release Date: 28 / 04 / 2020
Last Update: 28 / 04 / 2020

Rush to Remote Access Services Opens More Opportunities for Hackers

 

As the COVID-19 pandemic continues its spread globally, many organisations are implementing work from home arrangement, using a variety of remote access services to ensure employees can connect to the organisation’s internal network from home.

 

Rushing to set up the infrastructure for such purpose, they might forgo security risk assessment on remote access services, unwittingly giving opportunities to hackers. HKCERT urges organisations to raise their awareness of the risks relating to remote access services, and immediately implement necessary security measures and conduct security assessments to ensure that these services are used in a safe manner.

 

Increase in Exposure of Remote Access Services

 

Internet services search engine, Shodan, has found that the number of servers with Virtual Private Network (VPN) and Remote Desktop (RDP) service ports visible on the Internet has increased significantly[1].

 

(Source: Shodan)

 

Also, HKCERT observes that the corresponding cyber attacks are increasing too. The attack methods include Distributed Denial-of-Service (DDoS) attacks against VPN infrastructure[2]; exploiting the VPN vulnerabilities to deliver various cyber attacks, such as installing the malware to the client computers[3]; hacking into the company’s internal network and spreading ransomware[4].

 

Moreover, international cyber security organisations CISA[5] and NSCS[6] found that some hackers were scanning for exploitable vulnerabilities of VPN software[7], and a large increment in scanning of RDP (default port 3389) was observed. This indicates a reconnaissance being undertaken by them with plans to launch cyber attacks against remote access services[8].

 

Recommendations for Securing Remote Access Service

 

HKCERT has the following recommendations for securing remote access services:

 

A. For organisations:

  1. Establish security policy and procedure for remote access services and ensure all staff fully understand the rules of using the relevant services;
  2. Periodically review the security configuration of firewall and systems and ensure the remote access user list is up-to-dated;
  3. Follow the least privilege principle; ensure each employee can only access the necessary systems assigned;
  4. Develop log monitoring and alert mechanism. Any abnormal logs or suspicious traffic should trigger alert and notify relevant staff immediately. Incident investigation should be conducted.
  5. Ensure the remote access software (server-side) is updated. If the organisation is using Remote Desktop Service, it can refer to HKCERT security guideline “Best Practice Guide of Remote Desktop (for corporate administrator)” for system configuration.
  6. Choose the remote access products that support 2FA / MFA. Avoid using remote access product from unknown sources.
  7. Consider DDoS protection solution to defense against DDoS attacks.

 

B. For remote access users:

  1. Install security software and keep them updated. Ensure connection to the company network from a secured device and network environment.
  2. Ensure the remote access software (client-side) updated. If the organisation is using Remote Desktop Service, ensure Windows is updated regularly.
  3. Enable the 2FA / MFA feature, and use strong password.
  4. Beware of phishing and social engineering attacks to lure the user to provide the credential of remote access service.

 

For selection of suitable remote access services, please refer to guideline provided by HKCERT “Assessing the Security of Remote Access Services Guideline”.

 

[1] https://blog.shodan.io/trends-in-internet-exposure/

[2] https://securityboulevard.com/2020/04/increase-in-small-ddos-attacks-could-take-down-vpns/

[3] https://threatpost.com/government-vpn-servers-zero-day-attack/154472/

[4] https://securityaffairs.co/wordpress/100920/security/microsoft-warns-hospitals-ransomware.html

[5] https://www.cisa.gov

[6] https://www.ncsc.gov.uk

[7] https://www.us-cert.gov/ncas/alerts/aa20-099a

[8] https://isc.sans.edu/forums/diary/Increase+in+RDP+Scanning/25994/