Cyber attackers are increasingly exploiting RDP, warns FBI

The use of RDP (remote desktop protocol) creates risk because it has the ability to control a computer remotely and usage should be closely regulated, monitored and controlled, say the FBI and US Department of Homeland Security.

Malicious cyber actors have developed methods of identifying and exploiting vulnerable RDP sessions over the internet to compromise identities, steal login credentials and ransom data, the two US agencies said in a joint public service announcement.

The use of remote administration tools, such as RDP, as an attack vector has been on the rise since mid- to late 2016 with the rise of dark markets selling tools for RDP access.

RDP is increasingly popular with cyber attackers because it allows an individual to control the resources and data of a computer over the internet.

Cyber actors can infiltrate the connection between the machines and inject malware or ransomware into the remote system, and because attacks using RDP do not require user input, intrusions are hard to detect.

Vulnerabilities include weak passwords that allow attackers to initiate RDP connections, outdated versions of RDP with weak encryption mechanisms that enable man-in-the-middle attacks, allowing unrestricted access to the default RDP port (3389), and allowing unlimited login attempts to a user account.

Threats include ransomware such as CrySiS, which targets businesses through open RDP ports; CryptON, which uses brute-force attacks to gain access to RDP sessions; and Samsam, which uses a wide range of exploits, including ones attacking RDP-enabled machines, to perform brute-force attacks.

In July 2018, Samsam threat actors used a brute-force attack on RDP login credentials to infiltrate a healthcare company and encrypt thousands of machines before detection, the FBI/DHS alert said.

Threat actors are also known to buy and sell stolen RDP login credentials on the dark web, with the value of credentials being determined by the location of the compromised machine, software used in the session, and any additional attributes that increase the usability of the stolen resources.

In August 2018, researchers at security firm Cybereason reported that a honeypot designed to look like a power transmission substation of an electricity supplier was discovered within two days and prepared for sale as an asset on the dark web to another criminal entity using the tool xDedic RDP Patch.

The tool allows a victim and an attacker to use the same credentials to log in to a machine simultaneously using RDP, which would otherwise be impossible because of built-in security restrictions in the latest versions.

Daily RDP incidents skyrocketed in May, with attackers going for backups in most cases, according to a report on malicious activity in the second quarter of 2018 by security firm Rapid 7.

The report said there is a consistent level of activity with RDP in the second quarter with peaks of activity, such as one in May that saw more than one million probes.

“Monitoring for brute-force activity, suspicious multi-country authentication and multi-organisation authentication helps to identify this type of activity, and implementing multi-factor authentication and monitoring for leaked credentials can help organisations actively protect themselves from these threats,” the report said.

Understanding exposures is another critical aspect to combating the threats, the Rapid 7 report said, noting that externally exposed RDP – even for a short period of time – can have a devastating effect on an organisation, as was shown by several of the RDP-enabled ransomware attacks in the second quarter.

To protect against RDP-based attacks, the FBI and DHS recommend that businesses:

• Audit networks for systems using RDP for remote communication and disable the service if unneeded or install available patches.
• Verify that all cloud-based virtual machine instances with a public IP do not have open RDP ports, specifically port 3389, unless there is a valid business reason to do so.
• Place any system with an open RDP port behind a firewall and require users to use a virtual private network (VPN) to access it through the firewall.
• Enable strong passwords and account lockout policies to defend against brute-force attacks.
• Apply two-factor authentication where possible.
• Apply system and software updates regularly.
• Maintain a good back-up strategy.
• Enable logging and ensure logging mechanisms capture RDP logins. Keep logs for a minimum of 90 days and review them regularly to detect intrusion attempts.
• When creating cloud-based virtual machines, adhere to the cloud provider’s best practices for remote access.
• Ensure third parties that require RDP access are required to follow internal policies on remote access.
• Minimise network exposure for all control system devices and, where possible, disable RDP for critical devices.
• Regulate and limit external-to-internal RDP connections. When external access to internal resources is required, use secure methods, such as VPNs.