On top of the RDP vulnerability out there, additional Microsoft Windows zero-days are out there, which can exploit enterprises and give attackers full system control. The RDP vulnerability had the potential to be used in a WannaCry like worm.
Core Points to Keep in Mind:
- Patching and disallowing these services from Internet-facing machines is the best general mitigation. If that is not possible, configuring firewalls to ONLY allow connections from specific trusted machines is best. If that is not possible, restricting connections to these machines only from trusted networks or prohibiting bad networks (or entire countries, such as those on ITAR/OFAC sanctions lists) provides some protection if your firewalls are configured to use such policies.
- In order for attackers to exploit these vulnerabilities, especially ones like the RDP bug, it requires the attacker to scan for vulnerable machines. This happens, typically, from already well-known malicious infrastructure. Having external firewalls block these IPs and update quickly as attackers shift infrastructure prevents attackers from knowing you are vulnerable, so they don’t know to attack you.
- If attackers do exploit a vulnerable service, they will then want to “do something,” such as download malware to control the machine, or install malware. This will often mean an infected machine will call out to a remote machine to get the next stage of malware. This almost always involves DNS. Modification of your DNS resolvers to block queries to malicious malware downloaders will prevent the next stage of the attack from being successful, even on machines you can’t modify such as IoT devices.
ThreatSTOP's IP Defense updates your firewalls automatically and quickly to block malicious infrastructure. Our DNS Defense can automatically update your DNS servers to block malware downloaders and command and control, even if your machines get infected. All of this works without modifying your existing equipment and can protect equipment you can’t change, like IoT and embedded devices.