Hackers’ ability to exploit almost any vulnerability poses one of the biggest challenges to law enforcement — and to small businesses. The Federal Bureau of Investigation recently issued a warning to businesses and others about another threat. Hackers have begun exploiting Remote Desktop Protocol (RDP) to carry out malicious activities with greater frequency.
According to the FBI, use of Remote Desktop Protocol as an attack vector has increased since mid to late 2016. The rise in RDP attacks has in part been driven by dark markets selling Remote Desktop Protocol access. These bad actors have found ways in which to identify and exploit vulnerable RDP sessions over the Internet.
For small businesses who use RDP to control their home or office computers remotely, more vigilance is required including implementing strong passwords and changing them regularly.
In its announcement, the FBI warns, “Attacks using the RDP protocol do not require user input, making intrusions difficult to detect.”
What is Remote Desktop Protocol?
Designed for remote access and management, RDP is a Microsoft method for simplifying application data transfer between client users, devices, virtual desktops, and a Remote Desktop Protocol terminal server.
Simply put, RDP lets you control your computer remotely to manage your resources and access data. This feature is important for small businesses that don’t use cloud computing and rely on their computers or servers installed on premises.
This is not the first time RDP has presented security issues. In the past, early versions had vulnerabilities which made them susceptible to a man-in-the-middle attack giving attackers unauthorized access.
Between 2002 and 2017 Microsoft issued updates which fixed 24 major vulnerabilities related to Remote Desktop Protocol. The new version is more secure, but the FBI announcement points out hackers are still using it as a vector for attacks.
Remote Desktop Protocol Hacking: The Vulnerabilities
The FBI has identified several vulnerabilities — but it all starts with weak passwords.
The agency says if you use dictionary words and you don’t include a combination of uppercase and lowercase letters, numbers, and special characters, your password is vulnerable to brute-force and dictionary attacks.
Outdated Remote Desktop Protocol using Credential Security Support Provider protocol (CredSSP) also present vulnerabilities. The CredSSP is an application which delegates the user’s credentials from the client to the target server for remote authentication. An outdated RDP makes it possible to potentially launch man-in-the-middle attacks.
Other vulnerabilities include allowing unrestricted access to the default Remote Desktop Protocol port (TCP 3389) and allowing unlimited login attempts.
Remote Desktop Protocol Hacking: Threats
These are some examples of the threats as listed by the FBI:
CrySiS Ransomware: CrySIS ransomware primarily targets US businesses through open RDP ports, using both brute-force and dictionary attacks to gain unauthorized remote access. CrySiS then drops its ransomware onto the device and executes it. The threat actors demand payment in Bitcoin in exchange for a decryption key.
CryptON Ransomware: CryptON ransomware utilizes brute-force attacks to gain access to RDP sessions, then allows a threat actor to manually execute malicious programs on the compromised machine. Cyber actors typically request Bitcoin in exchange for decryption directions.
Samsam Ransomware: Samsam ransomware uses a wide range of exploits, including ones attacking RDP-enabled machines, to perform brute-force attacks. In July 2018, Samsam threat actors used a brute-force attack on RDP login credentials to infiltrate a healthcare company. The ransomware was able to encrypt thousands of machines before detection.
Dark Web Exchange: Threat actors buy and sell stolen RDP login credentials on the Dark Web. The value of credentials is determined by the location of the compromised machine, software utilized in the session, and any additional attributes that increase the usability of the stolen resources.
Remote Desktop Protocol Hacking: How Can You Protect Yourself?
It is important to remember any time you try to access something remotely there is a risk. And because Remote Desktop Protocol fully controls a system, you should regulate, monitor and manage who has access closely.
By implementing the following best practices, the FBI and U.S. Department of Homeland Security say you have a better chance against RDP-based attacks.
- Enable strong passwords and account lockout policies to defend against brute-force attacks.
- Use two-factor authentication.
- Apply system and software updates regularly.
- Have a reliable backup strategy with a strong recovery system.
- Enable logging and ensure logging mechanisms to capture Remote Desktop Protocol logins. Keep the logs for a minimum of 90 days. At the same time, review the logins to ensure only those with access are using them.
You can take a look at the rest of the recommendations here.
Headlines of data breaches are in the news regularly, and it is happening to large organizations with seemingly unlimited resources. While it may seem impossible to protect your small business from all of the cyber threats out there, you can minimize your risk and liability if you have the right protocols in place with strict governance for all parties.