A lot of cyber security news of late has focused on the revelation of Russian military intelligence service attacks, but there has been a recent announcement about cyber security practice to which organisations of all sizes including small businesses should be paying more attention to.
On September 28th, the FBI and the US Department of Homeland Security issued a joint statement about the increasing risks of Remote Desktop Protocol (RDP) attacks. According to the two US agencies, the use of RDP as an attack vector or way into your systems has been steadily on the increase. They are warning individuals and organisations to put measures in place to protect themselves against this type of attack.
The Register might have dismissed the advice as “The bleedin’ obvious”, attacks of this kind have been on the increase since 2016. The FBI and USDHS cited a brute force attack – SamSam – on RDP credentials against a large healthcare organisation earlier this year which left thousands of its machines encrypted before the attack was detected. The risks are real – and businesses would be well advised to take the necessary precautions.
Euro Business Solutions answer a few key questions, so you can know everything you need to know about RDP attacks.
What is RDP?
Microsoft’s Remote Desktop Protocol (RDP) allows you to connect to remote Windows based desktops or applications running on a Windows Server. To do this, the user employs RDP client software, while the other computer must run RDP server software.
How do attackers launch RDP attacks?
The University of California at Berkeley points out that if “any time Administrator access to a system is granted remotely there are risks”. These risks are greater if you are using weak passwords or outdated versions of RDP that allow so-called ‘man-in-the-middle’ attacks.
Many strains of malware instances support RDP attacks. They include SamSam – as mentioned previously, CrySiS, a ransomware that targets businesses through open RDP ports, and CryptON, which uses brute force attacks to gain access to RDP sessions.
The market for cyber criminals buying and selling RDP login credentials over the dark web is thriving and growing which is why your systems security should be a priority.
What is at risk through RDP attacks?
Attackers exploit vulnerable RDP sessions over the Internet. These attacks allow the cyber attackers to gain unrestricted access to the default RDP port (3389). They can then steal login credentials, compromise identities, and steal or ransom data.
Why are RDP attacks growing in number?
As well as the growing number of exploits available for hackers to use on RDP vulnerabilities, RDP exploits are popular with attackers as intrusions are more difficult to detect. An attacker can control a computer over the Internet without requiring user input.
How can businesses protect themselves?
Having the correct security controls are crucial in order to protect your business against RDP attacks. This includes ensuring that RDP versions are up to date and using strong passwords.
Wherever possible, disable the service if it's not needed. If the service is required, install all available patches regularly and enable account lockout policies.
As a quick checklist, we recommend:
• Minimise use – restrict access to and use of RDP where possible (for users and critical devices)
• Make it harder to access – with strong passwords and, better still, two-factor authentication
• Maintain updates or patching – to both systems and software
• Monitor activity – to ensure attackers aren’t targeting your business
• Minimise network exposure – so if attackers do get in, the damage they can wreak is limited
• Make good backups – a regular and proven backup strategy will facilitate recovery from data loss or unwanted encryption
What should businesses be monitoring with regards to RDP attacks?
You should be monitoring for brute-force activity in general, this is an important part of protecting yourself against RDP attacks, specifically against RDP port 3389. Experienced administrators may wish to change the port used for RDP as an extra layer of protection.
What extra protection do I need to take if I use cloud services?
The process for securing your virtual machines against RDP attacks is similar to the process of securing your physical machines. We recommend you ensure your virtual machines do not have open RDP ports, unless there is a compelling business reason. If you need open RDP ports, seek advice from your cloud provider about the best way to secure them.
What should I do if I suspect I have been victim of an RDP attack?
If your data or machines have been compromised, you may well need to revert to backups to restore services. If necessary, reach out to us for additional support and professional help to restore systems and services.
Unfortunately, the FBI and USDHS have left the onus very much on individuals and businesses to protect their own data, so if you need help securing RDP clients and ports within your organisation, please reach out for assistance from us.
If you would like more information about how to secure your organisation against RDP attacks, contact the team.