The FBI’s Internet Crime Complaint Center (IC3) has issued a warning to companies concerning the misuse of distant administration tools such as Remote Desktop Procedure. The warning was prompted by a substantial increase in attacks and darknet marketplaces vending RDP access.
Remote Desktop Protocol was first launched into Windows in 1996 and has proven to be a valuable tool. It allows workers to connect to their office computer distantly and IT divisions to access computers to install software or provide help. When connected through RDP, it’s possible to gain access to the Desktop, convey mouse and keyboard commands, and distantly take complete control of a computer.
Obviously, RDP has been an attractive aim for hackers who use it to steal data, download malevolent software, fit backdoors, or even damage computers.
Every now and then, vulnerabilities are identified in RDP which can be abused by hackers, therefore it is important to make sure systems are completely patched and modern. Nevertheless, attacks happen by getting login identifications. This is typically achieved through brute force attacks to predict vulnerable passwords. Several possible password and username blends are tried until the right one is predicted.
Passwords can also be obtained via man-in-the-middle attacks, such as when workers login to their work computers through RDP on public WiFi hotspots. Several businesses leave RDP ports open and accessible over the Internet (port 3839 particularly) which makes it much easier for RDP to be hacked.
Latest attacks have seen cybercriminals gain access through RDP and steal data or install ransomware, with the latter particularly common. The threat actors behind SamSam ransomware mainly use RDP to gain access to business computers to install ransomware. This method has also been used to disperse ransomware variations such as CrySiS, ACCDFISA, CryptON, Rapid, Globelmposter, Brrr, Gamma, Monro and a lot more.
IC3 has advised all companies to carry out an audit to decide which appliances have RDP enabled, including cloud-based virtual machines, and to disable RDP if it’s not needed. If RDP is essential, strong passwords should be set, 2FA used, and rate limiting must be applied to obstruct IPs that have made too many failed attempts to log in. Patches must be applied quickly to make sure vulnerabilities cannot be abused.
Companies must make sure that the RDP connection is not open to the Internet and is only accessible through an internal network or using a VPN to contact it through the firewall. Obviously, strong passwords must also be used for the VPN and the latest type of VPN software used.
Since RDP is frequently used to install ransomware, it is vital to regularly back up data and to test standbys to make sure files can be recovered in the event of a tragedy.