A system running Remote Desktop Protocol (RDP) is, for all purposes, an open invitation for cybercriminals. This protocol underlies Remote Desktop Connection (formerly known as Terminal Services Client) and has been part of various versions of Microsoft Windows for many years.
Before we dive into the details of the dangers involved, it’s important to note that RDP is used by many law firms for some very good reasons:
- A simple way for attorneys to access their case files stored in the firm’s document management system from home or on the road
- Doesn’t require configuration of a duplicate setup on the attorney’s laptop or home computer
- A remote-access method that directly controls the office machine, duplicating the experience the attorney is already familiar with
Ease and convenience for the attorneys are the dominant themes here. Unfortunately, making life easier for attorneys also makes creating havoc much easier for cybercriminals. RDP has known vulnerabilities, and a system with its RDP port open and exposed can be exploited in a number of ways that don’t rely on a skilled hacker to write malicious code.
Black-market entrepreneurs scan internet addresses looking for open RDP connections, guess at or use tools to brute-force the passwords, then sell the information on the dark web. Why break and enter when you can buy a key to the front door?
Open RDP = Open Opportunity
A firm fell prey to a ransomware attack because of an open RDP port. The attackers had bought a list of open RDP connections, logged on and grabbed control of the terminal server. That gave them the entry point they needed to inject ransomware into multiple systems throughout the firm, and encrypt all the data. This effectively brought the whole company down, and cost an enormous amount of downtime and money.
The credentials used to infiltrate the company were those of an employee who had been terminated a year earlier. Had the firm practiced good hygiene and terminated the account, the entire episode might have been avoided.
Protecting Against the Inevitable
At SOCBOX, when we encounter a legal firm that has RDP ports open and exposed, the IT department is usually aware of the vulnerabilities. They may mistakenly believe that their password policies, antivirus software and firewall will protect them. But none of those measures will protect against what looks like normal behavior: an attorney logging in to remotely access their desktop computer, using the proper credentials.
We recognize that many law firms currently use RDP. The good news is, there are some ways to make RDP a safer process. We recommend using a VPN, so that the attorneys need to first authenticate to the VPN before initiating the RDP session. It does entail an extra step for attorneys, but the alternative may leave the entire network exposed. We also advise adding multi-factor authentication to the VPN connection. In our experience, IT departments at legal firms are wary of measures that might overly inconvenience the attorneys, but the risk is too high to let convenience trump security best practices.
The second line of defense is monitoring the logs for anomalies and odd behaviors. Individuals logging in at odd times or from unusual locations are worth looking into. An individual logged in at the office while also remoting in is a giveaway that the person on the remote connection is not who they claim to be.
RDP can be a very useful protocol and has its place. Disable it when it’s not needed. When it is, take the extra steps necessary to ensure that only the authorized individuals are allowed to use it.
SOCBOX provides cybersecurity for law firms along with a wide range of services, including consulting, compliance audits, penetration testing, and SOC-as-a-service. To learn more or schedule a consultation with one of our security engineers, contact us, email firstname.lastname@example.org, or call 877-284-7789.