Securing Remote Services from Ransomware Attacks
Written by: Vikram Navali, Senior Technical Product Manager - Threat actors often target remote services to gain unauthorized access to internal systems and launch ransomware attacks. Once inside the victim’s network, their goal is to exploit remote services, move laterally and gain access to remote systems primarily targeting Domain Controllers, file shares, and similarly high-value servers. According to the DFIR 2021 Year In Review report (dated March 7, 2022), 27% of lateral movement techniques resulted in interactive connections usage such as AnyDesk, RDP, VNC, etc.
Common Scenarios of Exploiting Remote Services
Exploiting remote services is one of the common attack vectors for ransomware. Attackers exploit a weakness in an Internet-facing computer or program using software, data, or commands. Threat actors may exploit several well-known vulnerabilities in standard services such as SMB and Remote Desktop Protocol (RDP) or use stolen credentials.
Organizations may also deploy applications on external-facing systems such as MySQL and web server services. These external-facing systems with open RDP ports to the Internet pose an elevated risk. Threat actors may exploit applications to gain initial access to an organization and then move laterally to achieve their goals.
Ransomware operators may perform malicious activities (data theft or malware deployment) by remotely connecting and moving laterally to internal systems. This method has been very successful, and ransomware groups such as Emotet Malware exploited SMB to achieve lateral movement and malware propagation. Similarly, Ryuk Ransomware used open RDP ports to deliver malware payloads.
Hardening Remote Services
To limit the attack surface, the organization must implement security best practices and conduct regular assessments to identify and address vulnerabilities, especially on external-facing systems and applications. The following hardening recommendations also help organizations protect computer systems from malicious users and software:
- Audit user accounts regularly, particularly Remote Monitoring and Management accounts that are publicly accessible.
- Remove unnecessary accounts and groups and restrict root access.
- Apply the principle of least privilege to all systems and services so that users only have the access they need to perform their jobs. Threat actors often seek out privileged accounts to leverage ransomware operations.
- Restrict usage of PowerShell, using Group Policy, to specific users on a case-by-case basis. Threat actors use PowerShell to deploy ransomware and hide their malicious activities.
- Enforce Multifactor Authentication (MFA), especially for external-facing systems with RDP requirements.
- Allow connections only from RDP computers with Network Level Authentication (NLA). More details are available at Remote Desktop - Allow access to your PC | Microsoft Docs. NLA can also be useful for protecting against brute-force attacks, which often target open Internet-facing RDP servers. RDP brute force attacks are a popular method to access Windows endpoints or servers. Research by ESET also reveals that RDP brute-force attacks escalated throughout 2020 and 2021. The last four months of 2021 brought a further acceleration, increasing 274% (from 55 billion in T2 2021 to 206 billion in T3 2021).
The Attivo Networks ThreatDefend® offers deployment of decoys that hosts production applications (for example, RDP servers, SSH Servers, VNC, and others). The Endpoint Detection Net (EDN) ThreatStrike® solution prevents stealing real credentials and deploys deceptive credentials on production endpoints. After initial compromise, the solution prevents lateral movement by redirecting them to decoys systems for engagement. Additionally, the Deflect function monitors the attacker’s discovery techniques to scan for ports and services to exploit on the endpoints.
Organizations should leverage endpoint and network security solutions as additional security measures. Continuous monitoring for exposures and control on remote services, especially systems with RDP (TCP/3389) and other protocols (SMB – TCP/445) access to and from the Internet, can drastically reduce the risks of malicious activities.
For more information, please visit https://www.attivonetworks.com/solutions/ransomware-mitigation/.
Free Active Directory Assessment
Get Visibility Into Privilege And Service Account Exposure
For a limited time, Attivo Networks is providing free Active Directory Security Assessments to demonstrate how ADAssessor provides unprecedented and continuous visibility to AD vulnerabilities.
Try Our Endpoint Detection Net (EDN) for Free
FAST AND EASY
Free use offer of our Award-winning security solution to prevent attackers from lateral movement, credential theft, and privilege escalation, fast and easy.
ADSecure 90-Day Free Trial
GET PROTECTION AGAINST UNAUTHORIZED ACCESS TO ACTIVE DIRECTORY
- Hide and deny access to AD objects
- Get alerted on unauthorized queries
- Attack details easily viewable in dashboard
- Your data remains on-premise