Consumers and businesses are being warned about the increasing use of the Remote Desktop Protocol (RDP) administration tool as an attack vector.
A joint warning from the US FBI and DHS says that RDP attacks have been on the rise since 2016, with attackers using open RDP ports to take over machines or intercepting RDP sessions and injecting various types of malware into the system being remotely accessed. In other cases computers with RDP software on board have been victimised when attackers used brute-force techniques to gain usernames and passwords.
The two US law enforcement agencies said CrySIS, CryptON and SamSam ransomware have all been spread through RDP attacks. CrySiS has mainly been used against US businesses that have computers with open RDP ports. Here attackers use brute-force and dictionary attacks to gain unauthorised remote access and then CrySiS is dropped onto the device and a ransom is demanded.
CryptON also uses the brute-force method to gain access to RDP sessions and then the threat actor manually executes malicious programs on the compromised machine.
Samsam, which has been used in several recent high-profile attacks, uses brute-force attacks along with other methods, such as phishing, to gain entry into a computer.
Cyber-criminals also place stolen RDP credentials for sale on the Dark Web, enabling even the less-talented hackers to buy the information needed to launch these attacks.
"Even absent vulnerabilities in the RDP service itself, most RDP servers are configured to allow login using just a username and password. This places a huge burden on users to pick strong passwords that cannot be guessed, something that users are rarely able to do," said Ian Pratt, co-founder and president of Bromium.
FBI and DHS recommendations to protect a system included:
Enable strong passwords and account lockout policies to defend against brute-force attacks.
Apply two-factor authentication, where possible.
Apply system and software updates regularly.
Maintain a good back-up strategy.
Disable the service if unneeded or install available patches.
Enable logging and ensure logging mechanisms capture RDP logins.
Minimise network exposure for all control system devices. Where possible, critical devices should not have RDP enabled.
* Originally published in scmagazine.com North America.