The FBI and DHS issued a joint warning to consumers and businesses on the increasing use of the Remote Desktop Protocol (RDP) administration tool as an attack vector.
The notice said RDP attacks have been on the rise since 2016 ,with attackers using open RDP ports to take over machines or intercepting RDP sessions and injecting various types of malware into the system being remotely accessed. In other cases computers with RDP software on board have been victimized when attackers used brute-force techniques to gain usernames and passwords.
The two law enforcement agencies said CrySIS, CryptON and SamSam ransomware have all been spread through RDP attacks. CrySiS has mainly been used against U.S. businesses that have computers with open RDP ports. Here attackers use brute-force and dictionary attacks to gain unauthorized remote access and then CrySiS is dropped onto the device and a ransom is demanded.
CryptON also uses the brute-force method to gain access to RDP sessions and then the threat actor manually executes malicious programs on the compromised machine.
Samsam, which has been used in several recent high-profile attacks, uses brute-force attacks along with other methods, such as phishing, to gain entry into a computer.
Cybercriminal also place stolen RDP credentials for sale on the Dark Web, enabling even the less-talented hackers to buy the information needed to launch these attacks.
“Even absent vulnerabilities in the RDP service itself, most RDP servers are configured to allow login using just a username and password. This places a huge burden on users to pick strong passwords that cannot be guessed, something that users are rarely able to do,” said Ian Pratt, co-founder and president of Bromium.
FBI and DHS recommendations to protect a system included:
- Enable strong passwords and account lockout policies to defend against brute-force attacks.
- Apply two-factor authentication, where possible.
- Apply system and software updates regularly.
- Maintain a good back-up strategy.
- Disable the service if unneeded or install available patches.
- Enable logging and ensure logging mechanisms capture RDP logins.
- Minimize network exposure for all control system devices. Where possible, critical devices should not have RDP enabled.