The Internet Crime Complaint Center (IC3), in collaboration with the Department of Homeland Security and the FBI, have issued a security alert regarding attacks being conducted through the Windows Remote Desktop Protocol. While the most publicized attacks over RDP are related to ransomware, attackers also hack into exposed RDP services for corporate theft, installation of backdoors, or as a launching point for other attacks.

"Remote administration tools, such as Remote Desktop Protocol (RDP), as an attack vector has been on the rise since mid-late 2016 with the rise of dark markets selling RDP Access," stated the alert from US-Cert. "Malicious cyber actors have developed methods of identifying and exploiting vulnerable RDP sessions over the Internet to compromise identities, steal login credentials, and ransom other sensitive information. The Federal Bureau of Investigation (FBI) and Department of Homeland Security (DHS) recommend businesses and private citizens review and understand what remote accesses their networks allow and take steps to reduce the likelihood of compromise, which may include disabling RDP if it is not needed."

If you are a reader of BleepingComputer, then you already know that attackers are using remote desktop services to remotely gain access to networks and computers on them.

Last year, we covered how the xDedic criminal marketplace was selling hacked remote desktop services accounts for as little as $6 USD per server. The sale of RDP accounts on criminal markets continues to this day.

RDP Servers being sold on xDedic marketplace
RDP Servers being sold on xDedic marketplace

Shodan.io, a search engine for internet-connected devices, also shows that there are over 2 million computers running Remote Desktop and connected directly to the Internet. These servers are just waiting to be hacked.

Shodan listing of computers running RDP
Shodan listing of computers running RDP

We have also routinely covered how ransomware infections such as CrySiS/Dharma, SamSam, BitPaymer, and CryptON infect entire networks by hacking into public facing Remote Desktop servers over the Internet. 

Because these attacks target entire networks, rather than an individual computer, and carry price tags of $3,000 - $5,000 USD to decrypt a single computer or upwards to $50,000 USD to decrypt an entire network, they tend to be highly publicized.

For example, the ransomware attacks at PGA of America, Port of San Diego, Atlanta, and numerous hospitals were all most likely executed through remote desktop servers being exposed on the Internet.

Therefore, it is very important that all organization that utilize RDP properly protect these services.

Protecting Remote Desktop Servers

Using Remote Desktop Services can be an integral resource for companies, so we are not saying that it should not be used. What we are saying is that if you use RDP, you need to protect it!

Below we have outlined various steps that should be performed to protect remote desktop servers from being attacked.

Never expose RDP servers directly to the Internet

RDP servers should never be connected directly to the Internet. Instead, organizations should place RDP servers behind a VPN, or firewall, so that only permitted users can access them.

Doing this also, makes it harder to find the servers and initiate brute force attacks, where attackers repeatedly login to a server while trying to guess the password.

If you can, you should also change the TCP port for RDP from the default port of 3389 to a non-standard one. This just adds a little security-by-obscurity flavor to the mix of protection methods. 

Use strong passwords and multi-factor authentication

As Remote Desktop attacks are typically performed by attackers brute forcing passwords until they guess the right one, it is important that all users have strong and complex passwords. This can be enforced using strong password policies in Windows.

Account Password Policies
Account Password Policies

To further increase protection, organizations should also look into adding multi-factor authentication to domain logins.

Enable account lockout policies

Brute force attacks can generally be prevented by using account lockout policies. These policies temporarily make it so an account cannot logged into after having a certain amount of failed login attempts.

Account Lockout Policies
Account Lockout Policies

As brute force attacks rely on repeatedly attempting to login to an account with different passwords, using lock out policies prevents this.

Enable the auditing of account logins

By enabling account audit policies, administrators can get insight into what accounts are having repeated failed login attempts. This allows admins to pinpoint accounts that may be targeted for attacks.

Advanced Audit Policies
Advanced Audit Policies

Install security updates

Finally, and not least in importance, update, update, update. I know it is hard for some companies to install security updates as soon as they come out, but they should be installed as soon as possible.

Related Articles:

Meet Brain Cipher — The new ransomware behind Indonesia's data center attack

Infosys McCamish says LockBit stole data of 6 million people

BlackSuit ransomware gang claims attack on KADOKAWA corporation

Rafel RAT targets outdated Android phones in ransomware attacks

Chinese Cyberspies Employ Ransomware in Attacks for Diversion