Cyber Actors Exploit Remote Desktop Protocol to Conduct Malicious Activity
Malicious cyber actors have developed methods of identifying and exploiting vulnerable RDP sessions over the Internet to compromise identities, steal login credentials, and ransom other sensitive information.
What is Remote Desktop Protocol (RDP) ?
This is a network protocol that allows an individual to control the resources and data of a computer over the Internet. This protocol provides complete control over the desktop of a remote machine by transmitting input such as mouse movements and keystrokes and sending back a graphical user interface.
In order for a remote desktop connection to be established, the local and remote machines need to authenticate via a username and password. Cyber attackers can infiltrate the connection between the machines and inject malware or ransomware into the remote system. Attacks using the RDP protocol do not require user input, making intrusions difficult to detect.
- Weak passwords.
- Outdated versions of RDP may use flawed CredSSP, the encrytion mechaism, thus enabling a potential man in the middle attack.
- Allowing unrestricted access to the default RDP port.
- Allowing unlimited login attempts to a user account.
Examples of threats:
- CrySiS Ransomware – primarily targets US businesses through open RDP ports, using both brute-force and dictionary attacks to gain unauthorized remote access.
- CryptON Randsomware – CryptON ransomware utilizes brute-force attacks to gain access to RDP sessions, then allows a threat actor to manually execute malicious programs on the compromised machine.
- SamSam Randsomware – Samsam ransomware uses a wide range of exploits, including ones attacking RDP-enabled machines, to perform brute-force attacks.
- Dark Web Exchange – Threat actors buy and sell stolen RDP login credentials on the Dark Web.
Suggestions for protection:
- Audit your network for systems using RDP for remote communication.
- ​Verify all cloud-based virtual machine instances with a public IP and do not have open RDP ports, specifically port 3389, unless there is a valid business reason to do so.
- Place any system with an open RDP port behind a firewall and require users to use a Virtual Private Network (VPN) to access it through the firewall.
- Enable strong passwords and account lockout policies.
- When possible use two-factor authentication.
- Apply system and software updates regularly.
- Maintain a good backup state.
- Enable and ensure logging mechansims capture RDP logins.
- Ensure third parties that require RDP access are required to follow internal policies on remote access.
- Minimize network exposure for all the control system devices. Critical devices should not have RDP enabled.
- Regulate and limit external to internal RDP connections.
Make sure all users are aware of this, trained in response and know to not open suspicious attachments. Here at COMP-Connection, Inc. we pledge to keep you protected and informed about the latest issues. Your peace of mind is our number one priority.