FBI: RDP attacks are still on the rise

Credit: ID 88022555 © Bakalavar | Dreamstime.com

Attacks that use Microsoft’s Remote Desktop Protocol (RDP) to remotely access computers for nefarious purposes aren’t new, but the FBI’s Internet Crime Complaint Center (IC3) has now put out a warning that businesses and consumers should secure their computers to prevent a rise in RDP's abuse. 

The protocol is a neat tool for attackers since RDP access can give control of someone else’s mouse, display and keyboard. And because of this it’s handy for legitimate uses within enterprise networks and on some home systems, some of which aren't behind a firewall.  

The IC3 today warned that attacks relying on RDP, by way of weak passwords, outdated versions of RDP, or open RDP ports, have been on the rise since 2016. It points to ransomware strains like Crysis, CryptON, and Samsam, each of which employed RDP in some fashion to set the stage for a ransom demand. 

Crysis hit US businesses via open RDP ports by scanning for the default RDP port TCP 3389. Crypton used password attacks to access RDP sessions, while Samsam brute-forced RDP login credentials to attack large US clinical lab, LabCorp

The other threat IC3 notes are dark web forums where criminals can buy already compromised RDP login credentials. 

But cybercriminals aren’t the only one’s employing RDP in their attacks. The Department of Homeland Security’s US-CERT in March detailed a cunning attack by suspected Russian government hackers against critical infrastructure providers. 

The advanced hackers first created local administrator accounts using compromised credentials, then opened port 3389, and later used RDP sessions to create additional accounts for further access on a target’s Exchange Server. The attacks specifically aimed at organizations where multi-factor authentication was not used.     

The other way attackers could maliciously use RDP is via vulnerabilities in the protocol. As security firm Rapid7 recently noted, Microsoft has patched 24 RDP-related vulnerabilities since 2002, some of them remote code execution flaws. 

An internet-wide scan Rapid7 conducted last year found 11 million open 3389/TCP endpoints, of which 4.1 million were using the protocol. It also found that most of the IP addresses with exposed endpoints were coming from major cloud providers, such as Amazon, Alibaba, and Microsoft. These were most likely cloud users who’d set up VMs for remote access.  

Read more: Microsoft goes password-free for Azure AD sign-in

“The use of RDP creates risk. Because RDP has the ability to remotely control a system entirely, usage should be closely regulated, monitored, and controlled,” IC3 warned. 

IC3 suggested taking five key steps, including an audit for use of RDP on networks, checking that VMs in the cloud don’t have port 3389 open, ensuring strong passwords to prevent brute-force attacks, and setting up two-factor authentication. 

Additional measures include implanting a solid back-up strategy, logging RDP logins, killing RDP access for critical devices, and limiting external-to-internal RDP connections. 

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
CSO WANTED
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

Tags MicrosoftransomwarefbiIC3RDP

More about AmazonFBIMicrosoftRapid7

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

More videos

Blog Posts