It’s no secret that Microsoft’s Remote Desktop Services (RDS) software is a natural target for hackers. The same remote access that the popular program gives to clients also piques the interest of would-be attackers.
That also makes fixing a bug in the software a good opportunity for both ends of the cybersecurity profession — offensive and defensive — to collaborate. One RDS discovery in particular prompted close, behind-the-scenes cooperation between Microsoft and an outside researcher. They will share what they learned about detection and remediation next week at the Black Hat conference in Las Vegas.
“This attack was very hard to detect,” recalled Dana Baril, a security software engineer at Microsoft. “The behavior didn’t stand out as unusual for the user.” A hacker exploiting the bug would be making network connections that looked a lot like whatever a normal person might do with RDS.
Baril had received a report through Microsoft’s bug bounty program. She reached out to Eyal Itkin, a researcher at Check Point Software Technologies who found the vulnerability. Itkin’s forte is slicing through systems to help companies improve them.
As researchers find new ways of abusing RDS and the machines connecting through it, Microsoft is on alert to develop mitigations. Defenders like Baril aren’t short for work. The revelation in May of BlueKeep — a serious, “wormable” vulnerability comparable to the flaw that the 2017 WannaCry ransomware exploited — was a rude reminder of the danger.
This RDS vulnerability was different. Unlike other flaws that allow an attacker to target new machines through the Remote Desktop Protocol itself, this scenario sees a hacker move through an organization by infecting a computer running RDS and then waiting for privileged users to connect to that computer before starting the attack.
Itkin figured out that an attacker — through the clipboard function that allows people to copy and paste data over an RDP connection — could use a malicious server to drop arbitrary files on the client’s computer. After a malicious script is dispatched on a computer’s startup folder and the machine is rebooted, the script executes.
The two Israeli cybersecurity specialists, who hadn’t previously met, got to work on addressing the issue from their respective areas of expertise. While Microsoft developed a patch for the vulnerability, Baril used the Windows Event Log, a program that lets app developers track bugs and trace logs, to build a detection tool for the attack.
“I wanted to create a solution before people installed the patch,” Baril said. “I want to be able to defend users who were vulnerable to this vulnerability.”
There is no evidence that the vulnerability has been exploited in the wild, and Microsoft issued a patch for it last month.
The nature of the attack on RDS – the act of spreading through an organization by infecting privileged users who connect to a computer that is already compromised – should get more attention, Itkin said. Such “lazy lateral movement” is a “promising attack vector,” he added.
“Our research shows that additional security attention should be focused on checking the clients instead of only focusing on servers of popular software,” Itkin said.