惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

N
News and Events Feed by Topic
V
V2EX
博客园 - 【当耐特】
Vercel News
Vercel News
雷峰网
雷峰网
爱范儿
爱范儿
WordPress大学
WordPress大学
云风的 BLOG
云风的 BLOG
S
Securelist
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
Microsoft Azure Blog
Microsoft Azure Blog
F
Full Disclosure
有赞技术团队
有赞技术团队
Hugging Face - Blog
Hugging Face - Blog
NISL@THU
NISL@THU
www.infosecurity-magazine.com
www.infosecurity-magazine.com
Attack and Defense Labs
Attack and Defense Labs
Application and Cybersecurity Blog
Application and Cybersecurity Blog
Hacker News - Newest:
Hacker News - Newest: "LLM"
Microsoft Security Blog
Microsoft Security Blog
腾讯CDC
P
Proofpoint News Feed
B
Blog
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
K
Kaspersky official blog
I
InfoQ
Google Online Security Blog
Google Online Security Blog
L
LINUX DO - 最新话题
Project Zero
Project Zero
Engineering at Meta
Engineering at Meta
V
Visual Studio Blog
AI
AI
Schneier on Security
Schneier on Security
B
Blog RSS Feed
T
Tor Project blog
H
Help Net Security
H
Hackread – Cybersecurity News, Data Breaches, AI and More
L
LINUX DO - 热门话题
阮一峰的网络日志
阮一峰的网络日志
S
Security @ Cisco Blogs
T
Threat Research - Cisco Blogs
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
C
Cyber Attacks, Cyber Crime and Cyber Security
G
Google Developers Blog
Google DeepMind News
Google DeepMind News
V2EX - 技术
V2EX - 技术
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
A
Arctic Wolf
Webroot Blog
Webroot Blog
Recent Commits to openclaw:main
Recent Commits to openclaw:main

Okta Security RSS Feed

OpenSSL HollowByte: A DoS Hiding in 11 Bytes Datadog and Okta Combine for New Customer Detections Detecting OpenClaw at Sign-In Okta Hardening Guide Updated to Secure Non-Human Identities Okta Pooled Security Audits: a One-Year Retrospective Account Recovery, without Password Resets Okta’s Response to React2Shell Uncloaking VoidProxy: a Novel and Evasive Phishing-as-a-Service Framework Attackers Target Hotelier Accounts in Malvertising and Phishing Campaign Using Auth0 Logs for Proactive Threat Detection Controlling Cross-App Data Sprawl in Google Workspace How this ClickFix campaign leads to Redline Stealer Paving the Path: Pooled Audits with Okta Security Building Confidence in Support Comms with Caller Verify at Okta Enabling ISO/IEC 27001:2022 Compliance with Okta Okta’s Secure by Design Pledge - One Year On Leveraging Okta System Logs for Proactive Threat Detection Enhancing Customer Trust Through a Comprehensive Audit Program Okta's new Security Technical Implementation Guide (STIG) A Guide to DORA Compliance with Okta How AI services power the DPRK’s IT contracting scams Detect and Prevent Cross Device Authentication How Responsible Disclosures are Shaping a Safer Cyberspace Cybersecurity’s Next Gen Next.js CVE-2025-29927 CSO Conversations: Matthew Hansen, Regional CSO of Americas West Empowering Security with Customer Trust Solutions Putting Security First with Secure Development One trick finds the root of any Okta troubles CSO Conversations: Stephen McDermid, Regional CSO of EMEA Content-Security-Policy in a Complex Environment CSO Conversations: Keiko Itakura, Regional CSO of Japan How Okta Embraces Identity Verification Using Persona CSO Conversations: Matt Immler, Regional CSO of Americas East Raising the Bar for our Industry with IPSIE Cyber-Safety over the Holidays Okta Social Engineering Impersonation Report - Response and Recommendation Five Reasons to Upgrade your Org to Okta Identity Engine Okta’s Ongoing Commitment to Secure By Design Unveiling the Essence of the Security Customer Trust Function Security Education Through the Art of Storytelling Seven Ways to Reduce Super Admins in Okta The Case for Zero Standing Privileges FastPass: The battle-hardened authenticator Detecting Cross-Origin Authentication Credential Stuffing Attacks How to Block Anonymizing Services using Okta Why Cyber-heroes need a Zero Trust CAEP! Okta Verify Vulnerability Disclosure Report - Response and Remediation Defensive Domain Registration is a Mug’s Game Protecting Administrative Sessions in Okta How to Secure the SaaS Apps of the Future Okta October 2023 Security Incident Investigation Closure October Customer Support Security Incident - Update and Recommended Actions Unauthorized Access to Okta's Support Case Management System: Root Cause and Remediation Tracking Unauthorized Access to Okta's Support System Go “Secure by Default” With Custom Admin Roles for IT support staff Cross-Tenant Impersonation: Prevention and Detection BYO Telephony and the future of SMS at Okta Saying “No Thanks” to nOAuth Telling More Okta Detection Stories with Google Chronicle An Unexpected Endorsement for WebAuthn Social Engineering is Getting More Extreme, but the Fixes Can Be Simple Study up on Okta Logs for Splunk’s Boss of the SOC! Keeping Phishing Adversaries Out of the Middle Using Workflows to Respond to Anomalous Push Requests Okta and Splunk Combine to Detect Common Attacks Setting the Right Levels of Assurance for Zero Trust Catch-All's and Canary Rules User Sign-in and Recovery Events in the Okta System Log Okta Code Repositories Detecting Real-Time Phishing Attacks Detecting Real-Time Phishing Attacks Okta’s Response to OpenSSL Security Update Monitoring for Abuse of Administrative Privileges System Log: a Window into Supporting the Okta Cloud The Human Factor in Phishing Resistance Auth0 Code Repository Archives From 2020 and Earlier Phishing Resistance and Why it Matters Detecting Scatter Swine: Insights into a Relentless Phishing Campaign Defending against Session Hijacking Unlocking the Mystery of 700+ Okta System Log Events Official Okta Statement on LAPSUS$ Claims Protection, without perimeters Just How Risky is Legacy Authentication?
We (still) need to talk about RDP
Brett Winterford · 2022-03-08 · via Okta Security RSS Feed

Quarter by quarter, for three years now, abuse of Remote Desktop Protocol (RDP) has been the most common root cause of all ransomware events.

It’s no surprise why RDP makes for an attractive target: RDP is the primary vehicle for remote access to Windows servers and is used for administrative functions. It’s the most commonly listed method of remote access sold by initial access brokers.

According to some 2019 research [pdf] by Sophos, an open RDP port gets its first connection request somewhere between 90 seconds and 15 hours of being exposed on the internet. Brute forcing RDP is so easy, the researchers noted, that “the criminal gangs who conduct targeted ransomware attacks have almost entirely abandoned alternative methods of network entry.”

“In recent years, criminals deploying targeted ransomware like BitPaymer, Ryuk, Matrix, and SamSam have almost completely abandoned other methods of network ingress in favor of using RDP. Gangs like these have the choice of cracking passwords themselves using tools like NLBrute, buying passwords cracked by others, or buying accounts on compromised RDP servers.”

The situation hasn’t improved much since then. According to a joint statement released by authorities in the US, UK and Australia in February, ransomware actors assumed that organizations rushing to provide remote access during the first COVID lockdowns would misconfigure RDP. And oh boy, were they right.

All that said, I’ve never been 100% sure about whether there were systemic reasons that made RDP so prone to abuse. Surely, by now, after these hundreds of awareness campaigns and news articles, the collective hygiene practiced by systems administrators has improved to make this sort of abuse less effective?

Today there are a larger number of methods for discovering rogue servers and locking down RDP, while the risks of leaving RDP unprotected have only increased. And yet we aren’t seeing a downward trend in the number of exposed endpoints (or compromised networks) stemming from abuse of RDP. I don’t want to give in to the temptation of just putting it down to “lazy admins” and “miserly CIOs”. There has to be more to it.

Source: Shodan.io

By a “systemic” reason, I mean a set of conditions that lead to poor security outcomes, as opposed to a specific vulnerability. A systemic reason might be insecure defaults, for example, or indecipherable documentation. It might be essential security tasks that require additional “premium” licenses or for settings to be configured in multiple admin consoles. It’s often a combination of those things.

Recently a few observations made it all click for me.

The first came courtesy of a former Microsoft security engineer dropping a truth-bomb on Twitter. RDP is usually abused using brute force attacks, he noted, because there aren’t any out-of-the-box ways to apply rate limiting to RDP.

“An entire and large part of the ransomware economy is this singular issue.”

And just as I was getting my head around how Microsoft would go about applying rate limiting in a server OS (it’s not trivial), my former colleagues at the Risky Business podcast published a groundbreaking interview with Michael Montaya, CISO of Equinix. Montaya rather bravely gave Risky Business a blow-by-blow account of a ransomware incident at the company. The beachhead for the attack was a brute force attack on an unsanctioned server with RDP exposed to the internet.

“The configurations that come out of the box in the cloud don’t always follow best practices,” Montaya explained.

If you combine the constrained ability of security teams to discover open RDP ports in unsanctioned infrastructure, and the unconstrained ability for attackers to test stolen credentials against clients with RDP exposed, it starts to take the shape of a systemic problem.

If you glance at where you find the most Windows servers with RDP open to the internet, it doesn’t marry closely with market share. There seems to be disproportionately more vulnerable servers hosted by managed service providers that rent access to Windows VMs as a “cloud service”. The default settings at these service providers is worthy of analysis.

In this context, it’s just a little tiresome to keep chalking up abuse of RDP to “poor user credential hygiene”. That’s the sort of cop out that’s enabled initial access brokers and ransomware affiliates to thrive for the five years. Our services should, at some level, be configured to anticipate and expect that users will practice poor credential hygiene. At the very least, service providers should offer VMs with inbound connections over RDP blocked by default.

Keep beating that drum

Given the known conditions that make RDP so vulnerable, we unfortunately need to keep hammering home the message that admins avoid exposing RDP to the internet in the first place - even if a lot of people are sick of hearing about it.

Inbound connections via RDP should be limited to trusted network sources and protected by multifactor authentication. In a true “zero trust” context, that means MFA is applied even when the admin is already on the network. Better yet, the only trusted source should be a jump host/bastion host that admins must authenticate to first. All authentication via RDP should be logged and monitored for large numbers of unsuccessful logins.

If remote access is absolutely required, an admin should first have to authenticate via a gateway. Bonus points if the solution involves “just in time” access - that is, ephemeral credentials for every session.

These controls aren’t so difficult to implement, but they can be difficult to sell into IT admins that complain loudly about the slightest inconvenience.

In infosec we expend a lot of time and investment in mitigating numerous “theoretical” risks. It’s disappointing that something as commonplace as the abuse of RDP isn’t flashy enough to warrant more energy.

So “once more unto the breach”, my infosec friends, there are better ways to secure remote access.

Brett Winterford is Vice President of Okta Threat Intelligence. Okta Threat Intelligence delivers timely, highly relevant and actionable insights about the threat environment, with a focus on identity-based threats. Brett was previously the regional Chief Security Officer for Okta in the Asia Pacific and Japan, and advised business and technology leaders in the region on all things identity.
Prior to Okta, Brett held a senior security leadership role at Symantec, and helmed security research, awareness and education at Commonwealth Bank. Brett is also an award-winning journalist, editor-in-chief of iTnews Australia and a contributor to the Risky Business podcast and newsletter, to ZDNet, the Australian Financial Review and the Sydney Morning Herald.