The FBI’s Internet Crime Complaint Center (IC3) has issued a warning to businesses about the abuse of remote administration tools such as Remote Desktop Protocol. The warning was prompted by a significant rise in attacks and darknet marketplaces selling RDP access.
Remote Desktop Protocol was first introduced into Windows in 1996 and has proven to be a valuable tool. It allows employees to connect to their office computer remotely and IT departments to access computers to install software or provide support. Once connected through RDP, it is possible to gain access to the Desktop, transmit mouse and keyboard commands, and remotely take full control of a computer.
Unsurprisingly, RDP has been an attractive target for hackers who use it to steal data, download malicious software, install backdoors, or even sabotage computers.
Every now and then, vulnerabilities are identified in RDP which can be exploited by hackers, so it is important to ensure systems are fully patched and up to date. However, attacks occur by obtaining login credentials. This is usually achieved through brute force attacks to guess weak passwords. Multiple possible password and username combinations are attempted until the correct one is guessed.
Passwords can also be obtained through man-in-the-middle attacks, such as when employees login to their work computers via RDP on public WiFi hotspots. Many companies leave RDP ports open and accessible over the Internet (port 3839 especially) which makes it much easier for RDP to be hacked.
Recent attacks have seen cybercriminals gain access via RDP and steal data or install ransomware, with the latter especially common. The threat actors behind SamSam ransomware primarily use RDP to gain access to business computers to install ransomware. This tactic has also been used to spread ransomware variants such as CrySiS, ACCDFISA, CryptON, Rapid, Globelmposter, Brrr, Gamma, Monro and many more.
IC3 has advised all businesses to conduct an audit to determine which devices have RDP enabled, including cloud-based virtual machines, and to disable RDP if it is not required. If RDP is necessary, strong passwords must be set, 2FA used, and rate limiting should be applied to block IPs that have made too many unsuccessful attempts to login. Patches should be applied promptly to ensure vulnerabilities cannot be exploited.
Businesses should make sure that the RDP connection is not open to the Internet and is only accessible through an internal network or using a VPN to access it through the firewall. Naturally, strong passwords should also be used for the VPN and the latest version of VPN software used.
Since RDP is often used to install ransomware, it is essential to regularly back up data and to test backups to make sure files can be recovered in the event of disaster.