UK unis implement new IP traffic policies to combat ransomware

Jisc, the non-profit that supports the UK higher education and research community with shared digital infrastructure and services such as the Janet network, has announced that it will start blocking traffic originating from outside the UK from accessing the Remote Desktop Protocol (RDP) remote-access feature from 28 March 2023, to better protect its users from ransomware attacks.

The move follows a 2021 consultation with its users, and reflects the fact that 50% of major ransomware incidents experienced by UK higher education institutions in the past two years began when attackers exploited the RDP feature.

Going forward, said Jisc, inbound traffic to port 3389 – the default port used for RDP – that originates from outside the UK will be blocked, and only inbound traffic from UK IP addresses will be allowed to proceed. Currently, this blocking is possible via Jisc as an opt-in measure, but it will now be by default.

“The use of ransomware against our sector, and globally, has ramped up over the past couple of years, and some attacks against colleges and universities have been devastating,” said John Chapman, director of information security policy and governance at Jisc.

“Organisations can still opt out of restrictions to specific IP addresses if they wish to, but they must accept the greater risk of a serious cyber security incident. Controlling access to a known attack vector will help protect the sector as a whole against this type of attack.”

Originally developed by Microsoft, RDP is a supposedly-secure network communications protocol that is intended to help IT admins diagnose problems remotely, and let users access their physical work desktops from other devices.

This is done by deploying RDP client software to connect to the system or server running RDP server software, and open a socket on the desired system to accept authenticated inbound traffic through port 3389. The user can then access all their applications and files just as if they were physically present in the workplace.

Legitimate use of RDP soared in 2020 during the Covid-19 pandemic, as millions of people were forced to work from home by lockdown restrictions, a policy that for many organisations has stuck, even as life returns to a semblance of normality.

But if not secured properly, RDP is also an easy way for malicious actors to gain access to victim networks to conduct further cyber attacks, such as data theft and ransomware execution, while giving the appearance of being legitimate users.

This made RDP a very popular attack vector before 2020, but the impact of Covid-19 saw its use by ransomware cartels such as Ryuk and Sodinokibi rise dramatically.

There are a number of steps that defenders can take to ensure their organisation’s use of RDP is as secure as possible:

• Enabling automatic updates from Microsoft and prioritising patching if and when RDP vulnerabilities with known public exploits are disclosed.
• Improving password policy and mandating multifactor authentication (MFA).
• Implementing account lockout policies.
• Changing the default port away from 3389.
• Restricting use of RDP to an allow list of trusted IP addresses.
• Restricting inbound connections to systems running network level authentication (NLA) over transport layer security (TLS).
• Using “least privilege” policies to restrict what users can do via RDP.
• Use a VPN.
• Implementing monitoring of RDP traffic for potential indicators of compromise (IoCs), the use of an RDP gateway server can help make this easier.

The implementation of traffic management policies is one of three key principles added to Jisc’s wider cyber security policy earlier in 2022. The other two are the establishment of a collaboration and data-sharing working group to help higher education bodies benefit from safety in numbers, and changes to the remit of Jisc’s computer security incident response team (CSIRT), enabling it to conduct proactive scanning for vulnerabilities across the Janet network.