Attacks that use Microsoft’s Remote Desktop Protocol (RDP) to remotely access computers for nefarious purposes aren’t new, but the FBI’s Internet Crime Complaint Center (IC3) has now put out a warning that businesses and consumers should secure their computers to prevent a rise in RDP's abuse.
The protocol is a neat tool for attackers since RDP access can give control of someone else’s mouse, display and keyboard. And because of this it’s handy for legitimate uses within enterprise networks and on some home systems, some of which aren't behind a firewall.
The IC3 today warned that attacks relying on RDP, by way of weak passwords, outdated versions of RDP, or open RDP ports, have been on the rise since 2016. It points to ransomware strains like Crysis, CryptON, and Samsam, each of which employed RDP in some fashion to set the stage for a ransom demand.
Crysis hit US businesses via open RDP ports by scanning for the default RDP port TCP 3389. Crypton used password attacks to access RDP sessions, while Samsam brute-forced RDP login credentials to attack large US clinical lab, LabCorp.
The other threat IC3 notes are dark web forums where criminals can buy already compromised RDP login credentials.
But cybercriminals aren’t the only one’s employing RDP in their attacks. The Department of Homeland Security’s US-CERT in March detailed a cunning attack by suspected Russian government hackers against critical infrastructure providers.
The advanced hackers first created local administrator accounts using compromised credentials, then opened port 3389, and later used RDP sessions to create additional accounts for further access on a target’s Exchange Server. The attacks specifically aimed at organizations where multi-factor authentication was not used.
The other way attackers could maliciously use RDP is via vulnerabilities in the protocol. As security firm Rapid7 recently noted, Microsoft has patched 24 RDP-related vulnerabilities since 2002, some of them remote code execution flaws.
An internet-wide scan Rapid7 conducted last year found 11 million open 3389/TCP endpoints, of which 4.1 million were using the protocol. It also found that most of the IP addresses with exposed endpoints were coming from major cloud providers, such as Amazon, Alibaba, and Microsoft. These were most likely cloud users who’d set up VMs for remote access.
“The use of RDP creates risk. Because RDP has the ability to remotely control a system entirely, usage should be closely regulated, monitored, and controlled,” IC3 warned.
IC3 suggested taking five key steps, including an audit for use of RDP on networks, checking that VMs in the cloud don’t have port 3389 open, ensuring strong passwords to prevent brute-force attacks, and setting up two-factor authentication.
Additional measures include implanting a solid back-up strategy, logging RDP logins, killing RDP access for critical devices, and limiting external-to-internal RDP connections.