11-06, 17:15–18:15 (Europe/Vienna), Palais Sachsen Coburg I-III
In September 2018, the Internet Crime Complaint Center (IC3), in collaboration with the Department of Homeland Security and the Federal Bureau of Investigation, warned of attackers exploiting legitimate tools like Remote Desktop Protocol (RDP) for malicious purposes. This presentation explores a recently discovered large-scale RDP Tunneling Attack that weaponized the mstshash cookie, a session management mechanism within RDP. The most intriguing aspect of this attack was the attacker's diverse use of protocols, including TCP, TLS, SSL, MEMCACHE, Socks, WOW, WOWW, MySQL, X11, MQTT, LISP, VICP, RSL, KDSP, ICAP, BitTorrent, CVSPSERVER, NDPS, PTP/IP, TPM, kNet, ECMP, and FF. This talk utilizes deep packet inspection (DPI) analysis to dissect this attack, revealing why seemingly unrelated protocols were chosen and emphasizing the attacker's strategy to bypass traditional security measures.
Presentation Outline:
(1) Introduction:
- I will briefly explain Remote Desktop Protocol (RDP) and its importance and broad utilization on the Internet.
- I will discuss the role of the mstshash cookie in RDP session management.
- I will introduce the concept of RDP Tunneling Attacks and their potential dangers.
(2) Unveiling the Attack with Deep Packet Inspection (DPI):
- I will analyze the attacker's use of common protocols, such as TCP, TLS and SSL for tunneling RDP traffic.
- I will deep dive into the lesser-known and very diverse protocols (such as MEMCACHE, Socks, WOW, WOWW, MySQL, X11, MQTT, LISP, VICP, RSL, KDSP, ICAP, BitTorrent, CVSPSERVER, NDPS, PTP/IP, TPM, kNet, ECMP, and FF) used in the attack and their role in tunneling RDP.
(3) Why These Protocols? Identifying Shared Characteristics:
- I will explore the common features of the chosen protocols that make them suitable for tunneling RDP traffic.
- I will discuss how attackers exploit limitations of traditional port-based security measures by using this diverse protocol set.
(4) The Need for Broader Network Monitoring:
- I will explain the limitations of focusing solely on RDP's standard port (3389).
- I will emphasize the importance of DPI and comprehensive network monitoring to detect attacks hidden within other protocols.
(5) Conclusion:
- I will recap key takeaways: the importance of minimal RDP library usage, dangers of RDP Tunneling Attacks, and the need for broader network monitoring.
- I will conclude by emphasizing the critical need for vigilance against evolving attack methods and the importance of expanding network monitoring practices.
Target Audience:
This presentation is designed for security professionals, network administrators, and anyone interested in understanding advanced attack techniques and network security best practices - especially professionals interested in protocol security.
Michał Sołtysik is a Cybersecurity Consultant and Deep Packet Inspection Analyst specializing in network edge profiling and 0-day attacks (one of the most difficult to detect).
With a focus on IT, OT, and IoT areas, he has identified so far 254 protocols used for cyberattacks.
Michał is also a skilled Digital and Network Forensics Examiner, a CyberWarfare Organizer, and a SOC Trainer, enhancing his cybersecurity roles with a broad range of expert knowledge.
More information available at https://michalsoltysik.com/