The Internet Crime Complaint Center (IC3), a department of the Federal Bureau of Investigation, recently released a statement alerting companies who do not regularly keep track of their Remote Desktop Protocol (RDP) to the high risk of potential cyberattacks.
The failure to maintain RDP security can leave endpoints disclosed the public online, thus leading to an attack.
RDP is a proprietary development by Microsoft which is used to gain access to a remote computer and interact with it as if the user was using the computer itself.
The distance might be far and hence the designation "remote."
The protocol is adopted by many companies for remote administration but if left unsupervised, it could exponentially increase the angle of attacks to the company.
The dramatic increase of RDP attacks has been widely made possible by hacker forums and markets on the dark web that sell RDP access to potential cybercriminals.
RDP has its popularity based on the fact that a criminal has control over resources and data of a given computer over the internet.
In its alert, the FBI reported that the use of RDP attacks has increased from late 2016 with the rise of darknet markets selling valuable access credentials.
One of those markets, a platform called xDedic, has gained attention in recent years for being a central hub for RDP access. The site has provided over 85,000 RDP server protocols.
xDedic was established four years ago using a domain on the clearnet. The domain went offline in 2016 following the release of a report from Kaspersky Lab about its dealings. But just a month later, xDedic reopened operations on the dark web.
In defiance of the attempts to bring it down, xDedic has remained online up to date and prompted the birth of many other online shops who are hacking and selling hacked RDP access.
Curbing these sites has become a hard nut to crack for law enforcement over the past few years and probably for the years to come as well.
The Extent of the Risk
For personal or small business operations who need to use RDP, use of strong and long passwords which include a combination of uppercase, lowercase, numbers and special characters is required.
In addition to this, changing the password regularly would be an added advantage.
This aids in protecting against brute-force attacks and other password-cracking tactics.
Also, it's important to update the old versions of RDP as they could have weak encryption mechanisms that allow man-in-the-middle attacks, giving access to the default entryway (port 3389) and allowing the user account to make unlimited login attempts.
The alert issued by IC3 further explained that for a successful remote connection, the local computer being accessed and the remote accessing computer need to be in unison in username and password.
The hackers can impinge on the connection and insert a virus into the remote computer. These insertions are difficult to notice since an attack by use of RDP does not need the user to input details.
Some of the tools used by hackers include Nmap, which is used for scanning open ports of a specific IP address or entire subnet; Hydra, a brute-force logging cracker that uses many protocols to attack; and MS12-020, which is used to survey the system strength to see if the host is prone to RDP or not.
This is just but a few of the software used.
According to a narration of one of the victims on Reddit who came face-to-face with this attack, the hackers found a way to access RDP port 3389 by guessing the password. They then entered into the system, encrypted several files and demanded a ransom of $15,000 in Bitcoins.
Examples of Threats Listed by the FBI:
The mechanism used by the CryptON ransomware to obtain control of the RDP session is brute-force attack.
This sanctions the cybercriminal to execute programs which are malicious manually on the compromised machine.
The programs usually encrypt the files in that computer and the only way to salvage yourself from this predicament is to part with the money in order to obtain the decryption key.
The functioning of the SamSam ransomware depends on the frailty in Remote Desktop Protocols, Java-based web servers or File Transfer Protocol servers to obtain entry to the victim's network.
This ransomware may use brute-force attacks to crack poorly secured passwords.
SamSam, just like other ransomware, decrypts the files on the infected machine and the only way out is to make a payment in Bitcoin or any other cryptocurrency chosen by the attacker.
The Crysis ransomware is identified by the .java extension of all compromised files on the infected computer.
The victim's computer is manually infected through Remote Desktop Protocol. The hacker first accesses the target computer before infecting the system.
This can be done by a brute-force attack on port 3389. This ransomware encrypts all files, even the executable file which some of the other ransomware don't encrypt. The hacker asks payment in Bitcoin for decryption directions.
-----
It is of paramount importance to note that every time you access a computer remotely, there is some level of risk involved.
Take note that RDP fully controls the computer and that monitor gets access of the computer closely.
Recommendations to Prevent Hacking
The Department of Homeland Security (DHS) and the FBI advise the following recommendations to protect yourself against attacks through the Remote Desktop Protocol.
- Scrutinize the network you are in for any system using RDP for communications. If the service is not needed at the moment, disable it or install necessary patches. In doing so, confirm with the technology vendors that these patches will not affect the processes of the system.
- Port 3389 should not be open unless there are strong business reasons as to why it should be open. Any system with an open RDP port should be shielded by a firewall and users should use a Virtual Private Network (VPN) to access it.
- Use strong passwords and employ lockout mechanisms to protect the system from brute-force attacks.
- Two-factor authentication (2FA) should be used where necessary.
- Perform updates often.
- Always have a backup system.
- Make sure the RDP logins are captured each time a login is made. Logs should be maintained for at least 90 days and reviewed to detect intrusion attempts.
- External to internal RDP connections should be regulated and limited. Unless it is absolutely necessary to access internal resources from external means, secure methods should be used as the use of VPNs.
- Critical devices should have their RDP connection disabled. Also, network exposure should be minimized for the control system devices.
