Mitigating Zeppelin’s (and any other) Misuse of RDP for Remote Access

The latest advisory from the U.S. Government is a forewarning about how easy it is for cybercriminal gangs to leverage RDP for both initial access and to move laterally.
Ransomware Zeppelin remote access

The Zeppelin ransomware variant – also known as Vega or VegaLocker – has been observed since 2019.  Using a ransomware-as-a-service (RWaaS) model, the cybercriminal group behind the ransomware has been known to ask for ransoms as large as over $1 million. The gang has recently garnered the attention of both the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) who recently released an advisory warning businesses and government agencies alike about the dangers of this ransomware variant, as well as to offer up indicators of compromise, attack methods, and mitigation strategies.

Zeppelin is well known for leveraging the Windows remote desktop protocol (RDP) functionality as both an initial attack vector as well as a means of lateral movement – making the case that organizations a) still have RDP configured to be accessible externally and b) are leaving the RDP configured to facilitate brute force attacks that attempt to log on repeatedly.

This is very concerning, but not surprising if you look at the latest data from Sophos in their Active Adversary Playbook 2022 which covers cyberattack behaviors, tactics, and tools seen on the frontline based on their incident response efforts for customers.  As part of their analysis of incidents, they highlighted just how prevalent RDP is in cyberattacks today.  According to the report:

  • RDP plays a part in 83% of attacks
  • RDP is used for initial access in 13% of cases
  • RDP is used for lateral movement in 82% of cases

With an average dwell time (the amount of time an attacker remains in stealth within your network until the attack is detected) of 15 days, and organizations handing attackers RDP as an easy way to move laterally in 82% of attacks, it means that organizations are far too reliant on RDP and are way too focused on its ease of use and not the necessary security that should be surrounding any kind of remote access solution.

Mitigating  Misuse of RDP 

It should be evident by now that any built-in tool, service, or application that aids threat actors needs to be either disabled or made as secure as possible. Let’s break down the various scenarios RDP falls under and look at the mitigation steps you can take to stop Zeppelin or any other threat actor from misusing your remote access:

External Remote Access is Unintentional

It’s possible – although not probable – that an internal system is “accidentally” made accessible from the Internet.  If so, this is bad… really bad. Using the unintentional premise, there are two possible mutually inclusive mitigation strategies you should consider:

  • Reconfigure the misconfigured firewall – assuming the access is unintentional, the likely culprit is a far too generous firewall policy that needs to be locked down.
  • Disable RDP on that endpoint – for any internal system accessible externally that shouldn’t be, it’s possible that there isn’t a need for RDP on that system at all. If this is the case, kill RDP.

External Remote Access is (or was) Necessary

This is the most likely case, where, in the hurry to get the organization productive during the mad rush to move to a hybrid workforce, many organizations simply made certain internal endpoints accessible from the Internet.   If you have remote access enabled for this purpose and no longer need it, see the Unintentional section above. If you still need it, there are a few mitigation strategies you need to employ:

  • Use a VPN first – if you must use RDP, don’t just make the internal endpoint accessible for RDP; instead, first, require a secure channel via VPN into the corporate network and then allow a remote connection to be made to the endpoint.
  • Eliminate RDP Entirely – Threat actors regularly scan every port on accessible Internet IP addresses for an expected RDP response (so just changing your port address isn’t going to help). Instead replace RDP with a secure remote access solution with better-integrated security controls, granular policies, and centralized management to ensure that any and all externally accessible remote access is as secure as possible.
  • Require Multi-Factor Authentication – You’re wanting to address two threat actions here: first, brute force attacks, where multiple logon attempts are made repeatedly attempting to find a valid set of credentials. Second, the misuse of compromised credentials that are always being sold on the dark web, providing threat actors with access (often accompanying a valid IP address with RDP access).  By putting MFA in place, you eliminate the threat actor’s ability to make use of even valid credentials to log on – but it’s necessary for your remote access solution (whether RDP or a third-party) to support (and, frankly, require) MFA for all remote logons.  

Internal Remote Access is Necessary

It’s probably a safe assumption that at least IT needs to leverage RDP to remotely access servers and user endpoints.  And there may even be specific use cases. But simply leaving RDP up and running with no additional security measures in place is what’s enabling threat actors to move laterally. While there are plenty of other tools that can be used to establish remote connections, only RDP inherently provides complete desktop access without needing to install another tool.   There are a few things you can do to mitigate the risk RDP poses internally:

  • Segment the Network – Isolating which devices can be accessed via RDP is one way of limiting the exposure that a blanket default implementation of RDP poses. At a minimum, isolating those endpoints that are accessible externally via RDP from critical servers and resources (as much as possible) would be a great step.
  • Require MFA – threat actors may gain initial access via phishing and the installation of a remote access trojan but may rely on RDP internally to move laterally. Requiring MFA across the board would make RDP sessions impossible for those threat actors that only have a user/password credential pair.
  • Replace RDP – Consider putting a third-party remote access solution in place that includes additional security controls like MFA integration, policy-based access, limits to elevated privileges, and more.

Heed Zeppelin’s Warning About RDP

RDP itself isn’t bad; in fact, it’s a great tool that provides instant productivity to both internal and external users.  It’s RDP’s misuse by threat actors that makes it necessary to augment your organization’s remote access strategy to include elements that work to meet current cybersecurity requirements.  And Zeppelin is a great example of how RDP has not only helped threat actors in the past but continues to do so with enough fervor that it warrants a warning from the FBI.   

By considering the scenarios above, you can identify what fundamental next steps you can take to minimize the risk your remote access needs (currently met by RDP) present to the organization. RDP may or may not continue to be your answer, but one thing is for certain, you need to have the correct measures in place.  

Nick Cavalancia MVP

Nick Cavalancia MVP

Nick Cavalancia is a Microsoft Cloud and Datacenter MVP, has over 28 years of enterprise IT experience, is an accomplished consultant, speaker, trainer, writer, and columnist, and has achieved industry certifications including MCSE, MCT, Master CNE, and Master CNI. He has authored, co-authored and contributed to dozens of books on various technologies. Nick regularly speaks, writes and blogs for some of the most recognized tech companies today on topics including cybersecurity, cloud adoption, business continuity, and compliance.

Share this post

Share on facebook
Share on twitter
Share on linkedin

Blogs you might also be interested in:

RealVNC® uses cookies. For more information, please read our privacy policy.