Live Chat Software by Kayako
Cyber attackers are increasingly exploiting RDP, warns FBI
Posted by Thang Le Toan on 29 September 2018 02:30 AM
Businesses should to act to reduce the likelihood of compromise from cyber attackers exploiting the remote desktop protocol, warns the FBI
The use of RDP (remote desktop protocol) creates risk because it has the ability to control a computer remotely and usage should be closely regulated, monitored and controlled, say the FBI and US Department of Homeland Security.
Malicious cyber actors have developed methods of identifying and exploiting vulnerable RDP sessions over the internet to compromise identities, steal login credentials and ransom data, the two US agencies said in a joint public service announcement.
The use of remote administration tools, such as RDP, as an attack vector has been on the rise since mid- to late 2016 with the rise of dark markets selling tools for RDP access.
RDP is increasingly popular with cyber attackers because it allows an individual to control the resources and data of a computer over the internet.
Cyber actors can infiltrate the connection between the machines and inject malware or ransomware into the remote system, and because attacks using RDP do not require user input, intrusions are hard to detect.
Vulnerabilities include weak passwords that allow attackers to initiate RDP connections, outdated versions of RDP with weak encryption mechanisms that enable man-in-the-middle attacks, allowing unrestricted access to the default RDP port (3389), and allowing unlimited login attempts to a user account.
Threats include ransomware such as CrySiS, which targets businesses through open RDP ports; CryptON, which uses brute-force attacks to gain access to RDP sessions; and Samsam, which uses a wide range of exploits, including ones attacking RDP-enabled machines, to perform brute-force attacks.
In July 2018, Samsam threat actors used a brute-force attack on RDP login credentials to infiltrate a healthcare company and encrypt thousands of machines before detection, the FBI/DHS alert said.
Threat actors are also known to buy and sell stolen RDP login credentials on the dark web, with the value of credentials being determined by the location of the compromised machine, software used in the session, and any additional attributes that increase the usability of the stolen resources.
Read more about RDP-enabled cyber attacks
In August 2018, researchers at security firm Cybereason reported that a honeypot designed to look like a power transmission substation of an electricity supplier was discovered within two days and prepared for sale as an asset on the dark web to another criminal entity using the tool xDedic RDP Patch.
The tool allows a victim and an attacker to use the same credentials to log in to a machine simultaneously using RDP, which would otherwise be impossible because of built-in security restrictions in the latest versions.
Daily RDP incidents skyrocketed in May, with attackers going for backups in most cases, according to a report on malicious activity in the second quarter of 2018 by security firm Rapid 7.
The report said there is a consistent level of activity with RDP in the second quarter with peaks of activity, such as one in May that saw more than one million probes.
“Monitoring for brute-force activity, suspicious multi-country authentication and multi-organisation authentication helps to identify this type of activity, and implementing multi-factor authentication and monitoring for leaked credentials can help organisations actively protect themselves from these threats,” the report said.
Understanding exposures is another critical aspect to combating the threats, the Rapid 7 report said, noting that externally exposed RDP – even for a short period of time – can have a devastating effect on an organisation, as was shown by several of the RDP-enabled ransomware attacks in the second quarter.
To protect against RDP-based attacks, the FBI and DHS recommend that businesses: