Remote Desktop Protocol Clients Rife with Remote Code-Execution Flaws February 5, 2019 https://threatpost.com/remote-desktop-protocol-clients-rife-with-remote-code-execution-flaws/141505/
Well, I only use RDP between trusted machines. Or at least, my machines. Mostly RDP via SSH for using VMs on headless remote servers. Usually via Tor onion services. So stuff is pretty well authenticated, encrypted, and obfuscated. So is it common to RDP to untrusted servers?
If you connect to a "trusted" server, you can also be affected if the server has been infected with malware. Two possible scenarios are mentioned in the next article: Check Point Report: Reverse RDP Attack: Code Execution on RDP Clients
I am the admin of any server I RDP to. That would make it no greater risk than any other machine I control. This needs to be fixed, but I am not greatly worried for my own use.
I guess. But I'm more worried about my servers than the ~disposable VMs that I manage them with. But then, I don't share resources and stuff with others.
You're also likely not someone that the bad guys would explicitly target and spy on you with binoculars while you're in the bath, so that also kinda helps
A bit off topic, but from what I understood, most of the successful ransomware attacks on companies made use of RDP to install malware on systems, but if anti-ransomware tools were installed on those machines these attacks would have been stopped. Unless hackers had the opportunity to disable security software, is this possible via RDP? This has never been clear to me.
According to Marcos over at the ESET forum. Yeah, they can. https://forum.eset.com/topic/18362-ransomware/?do=findComment&comment=90179 "If an attacker get access to a machine (typically via RDP), as a result, he or she can do anything from just viewing files on the disk to modifying or stealing them, or to uninstalling or disabling AV and running malware (ransomware, installing a backdoor, spyware, etc.)." Users are better off disabling RDP unless you really need it.
Yes, if you can exploit RDP, you can pretty much do anything. This is why all of my backups have zero access where users are concerned. Only an admin account that only I have the password to. And an offline copy. Most of our shares are read only except for some backdoor accounts that only I know of. Not impossible to exploit as nothing is, but harder than most setups. And nothing in them worth the effort anyway.
You also don't need a RDP vulnerability to successfully pull off a RDP attack. Brute force RDP attacks are still quite successful. Emsisoft has a good read on that subject: https://blog.emsisoft.com/en/28622/rdp-brute-force-attack/
Also: Hackers Using RDP Are Increasingly Using Network Tunneling to Bypass Protections https://www.securityweek.com/hacker...ly-using-network-tunneling-bypass-protections
Also, there are nifty ways to bypass RDP security mechanisms without the need for any vulnerabilities. From one of my favorite bypass web sites: https://doublepulsar.com/rdp-hijack...transparently-to-move-through-an-da2a1e73a5f6 As you read through the article, it readily becomes apparent System privileges are required to pull this off. The author obligingly provides two fairly easy ways to acquire it: Neat! Get System privileges using legit Win executables.
OK thanks. That's why it should always be possible to protect security tools with passwords, you shouldn't be able to terminate them this easily.