Cisco’s research group Talos posted an interesting article that looks at exploitation through encrypted channels (Original article found HERE). I am asked often about this type of attack. In summary, the concern is that most organizations have a network IPS however, that IPS will not be able to see encrypted attacks. This means SSL decryption is required in order to evaluate traffic or the IPS will be blind.
My thoughts on this concern are to first think about the entire attack. Reputation security does not depend on SSL. It ranks the “trustworthiness” of a source and drops known malicious sources. For example, if
Any technology that evaluates which comes over the internet is not impacted by SSL. For example, scanning all files that are downloaded for malicious intent would not be impacted by SSL. Evaluating how the endpoints interact with the network and the Internet would not be impacted by SSL.
This means only the traffic between the endpoint and network is at risk of encrypted attacks. The best way to address this is to consider decryption options. Vendors such as F5, Radware and A10 offer appliances that can be dedicated for this task.
Here is the article from Talos ….
Microsoft recently released fixes for a critical pre-authentication remote code execution vulnerability in Remote Desktop Protocol Services (RDP). Identified as CVE-2019-0708 in May’s Patch Tuesday, the vulnerability caught the attention of researchers and the media due to the fact that it was “
Cisco Talos started reverse-engineering work immediately to determine how exactly RDP was vulnerable. Talos wrote and released coverage as soon as we were able to determine the vulnerability condition. SID 50137 for SNORT® correctly blocks exploitation of CVE-2019-0708 and scanning attempts that leverage this vulnerability.
This rule prevents exploitation of CVE-2019-0708 by blocking any RDP connection that attempts to use the “MS_T120” virtual channel. The RDP protocol defines virtual channels that can be used to transfer
Since RDP servers are not aware of which virtual channels the
Client –> Connection Request –> Server
Client <– Connection Confirm <– Server
— Optionally switch transport to TLS —
Client –> MCS connect-initial –> Server
Client <– MCS connect-response <– Server
It is possible to specify in the RDP connection request that the
While the aforementioned Snort rule can help protect against BlueKeep, it is still possible for attackers to carry out an encrypted attack — essentially sneaking past users and remaining undetected. Unless
The following is a guide to set up RDP decryption on Cisco Firepower. This guide specifically applies to Windows Server 2008 instances (
*Note this procedure requires an inline Firepower device that supports SSL decryption. For more information,
Steps for RDP Decryption
1. Determine the certificate used by the RDP server
In Windows Server 2008, TLS certificates for RDP are configured in “Remote Desktop Session Host Configuration.”
See the full article at https://blog.talosintelligence.com/2019/05/firepower-encrypted-rdp-detection.html to learn how to setup Cisco Firepower