RDP Increasingly Abused in Attacks: FBI
2.10.2018 securityweek
Attack

Cyberattacks leveraging the remote desktop protocol (RDP) have been on the rise for the past couple of years, fueled by the emergence of dark markets selling RDP access, the Federal Bureau of Investigation (FBI) warns.

Malicious actors have created new methods of identifying and exploiting vulnerable RDP sessions over the web and both businesses and private users should take steps to reduce the likelihood of compromise, a joint alert from the FBI and Department of Homeland Security (DHS) reads.

RDP provides users with the ability to control a remote machine over the Internet. While authentication with a username and password are required to establish a remote desktop connection, attackers can infiltrate such connections and inject malware onto the remote system.

Assaults that abuse RDP do not require user input and the intrusion is difficult to detect. By abusing RDP sessions, malicious actors can compromise identities, steal login credentials, and ransom other sensitive information, the alert reads.

To perform RDP attacks, hackers target weak passwords (those which contain dictionary words or do not include a mixture of uppercase/lowercase letters, numbers, and special characters) and flaws in outdated versions of RDP, but also abuse unrestricted access to the default RDP port (TCP 3389) and unlimited login attempts to a user account.

Some of the threats known to abuse RDP include the CrySIS ransomware (primarily targeting US businesses, it demands a payment in Bitcoin in exchange for a decryption key), CryptON ransomware (which allows actors to manually execute malicious programs on the compromised machine), and Samsam ransomware (which is estimated to have generated over $6 million in revenue to its operator).

“Threat actors buy and sell stolen RDP login credentials on the Dark Web. The value of credentials is determined by the location of the compromised machine, software utilized in the session, and any additional attributes that increase the usability of the stolen resources,” the FBI alert reads.

Because the use of RDP creates risk, given the ability to remotely control a system entirely, the FBI and DHS recommend closely regulating, monitoring, and controlling usage. This includes auditing networks for systems using RDP and disabling the service where it is not needed.

Businesses should also verify that cloud-based virtual machine instances with a public IP do not have open RDP ports unless needed, and should place systems with an open RDP port behind a firewall. Furthermore, they should require the use a Virtual Private Network (VPN) for RDP access.

The use of strong passwords and account lockout policies should help defend against brute-force attacks, the same as two-factor authentication. Keeping systems and software updated should eliminate vulnerabilities, while a good back-up strategy ensures that systems can be easily restored in case of an attack.

Organizations should also enable logging to capture RDP logins, adhere to the cloud provider's best practices for remote access when creating cloud-based virtual machines, and require third parties follow internal policies on remote access.

The FBI and DHS also recommend businesses to minimize network exposure for all control system devices and remove RDP from critical devices where possible, as well as to regulate and limit external to internal RDP connections.