External remote services attacks
How to stop one of today’s most common intrusion methods?
Cybersecurity incidents are on the rise.
- 64% of companies have suffered at least one incident.
- Ransomware grew by 150% in 2020 alone.
- A new incident occurs every 39 seconds.
This article will show you how to stop one of the most common attack patterns driving this rise in incidents — external remote services attacks.
To do so, we will explore:
- What external remote services attacks are
- How these attacks operate and their objectives
- How you can defend your organization against it with a few simple steps.
External remote services attacks: what they are and why they matter
At a fundamental level, external remote services attacks are easy to understand.
They are simply attacks that exploit vulnerabilities in external remote services like Microsoft’s Remote Desktop Protocol (RDP) or Windows Server Message Block (SMB).
These services are often highly vulnerable. They are often misconfigured or have not been updated recently and carry open exploits that criminals know how to take advantage of. Even worse, when these services are mismanaged, they can give criminals a direct path into your network and an easy way to spread between systems.
Unfortunately, these attacks are rapidly growing in size, frequency, and severity. The use of digital technologies and external remote services like RDP and SMB has increased dramatically over the last eighteen months. It likely will never snap back to pre-pandemic levels. If anything, they will continue to grow. Consider that:
- 25 – 30% of the global workforce will be working from home by the end of this year. (Global Workplace Analytics)
- Work from home trends will accelerate digital investment timelines from a multi-year marathon to a 12-month sprint. (Gartner).
Cybercriminals have adapted their TTPs to take advantage of today’s digital, remote, and interconnected enterprise. They now focus many of their attacks and perform much of their lateral spread by exploiting mismanaged external remote services. Consider that the number of attacks that leverage RDP exploits alone increased by 768% between Q1 and Q4 2020 (according to new research by ESET).
Specifically, cybercriminals often use external remote service attacks to launch and drive today’s ransomware attacks. One of the highest-impact ransomware attacks of all time — WannaCry — exploited an SMB vulnerability, and at least 42% of today’s ransomware attacks exploit RDP alone.
Every organization now uses more external remote services than ever, and cybercriminals have learned to exploit these services to launch their most significant attacks.
To defend your new environment against these new attack patterns, you must better understand these patterns and how to stop them. Here’s how to do just that.
Dissecting this attack pattern: how it works
Let’s take a moment to break down this attack pattern in detail. By understanding how it works, you will better understand how to build an effective defense against it.
As mentioned, this attack pattern targets external remote services. While cybercriminals often target RDP and SMB, they might also exploit:
- Virtual Private Networks (VPNs)
- Virtual Network Computing (VNC)
- Virtual Desktop Environments or Remote Connect Solutions
- Windows Remote Management
- Or any other software that connects remote devices to the central network.
Cybercriminals can exploit these services through multiple methods.
- They will often scan their target and look for instances of an external remote service that is open to the internet, which can be easily exploited. For example, they might look for an exposed instance of the service that doesn’t require authentication. This can include an exposed Docker API, Kubernetes API server, kubelet, or web application such as the Kubernetes dashboard in containerized environments.
- Sometimes, the cybercriminals may exploit an instance of the service by acquiring legitimate credentials via brute force attacks, credential pharming, social engineering, or other basic but effective methods.
- Finally, the cybercriminal may find instances of the service that are not securely configured and provide direct remote access to internal systems and unlimited access to resources over the network. This is unfortunately common, given that an organization might install these services on every one of their devices, and these services often — by default — have highly privileged access out-of-the-box.
Once an attacker finds an instance of the service to exploit, they often gain a direct line into the network and open access to many other systems that use that service. While the MITRE ATT&CK Matrix lists external remote service attacks as an initial access technique, cybercriminals will often jump between instances of these services to build their foothold, compromise more data, and build a high degree of leverage against their target (which is why these attacks are so popular within ransomware).
How to Stop External Remote Service Attacks: Simple Steps
While these attacks are highly effective, they are not particularly complicated, and they can be stopped with a few relatively simple actions.
First, you must detect them early in their attack campaign before they spread to many other systems and become a real project to remove. Which means that you should be able to have a threat campaign identification in place.
To detect external remote services attacks, you need to follow a few best practices to alert you when any of your valid accounts are being used maliciously. These best practices include:
- Collecting authentication logs and analyzing unusual access patterns, windows of activity, profiling authorized users and access outside of regular business hours.
- Monitoring follow-on activities — like anomalous external use of APIs or applications — from exposed services that don’t require authentication.
Second, you must reduce your vulnerability to this attack pattern and shrink your attack surface. To do so, you must ensure that every instance of these services in your environment is configured correctly, fully updated, and only given access to the internal and external vectors that it needs to do its job.
External remote attacks are increasingly common but relatively simple to stop with a few best practices. For assistance in bringing these best practices to life in your organization, reach out to Atos today and schedule a free consultation.