Most cyber security news recently has focused on the revelation of Russian military intelligence service attacks, but there has been a recent announcement about cyber security practice to which organisations of all sizes including small businesses should be paying much greater attention.

On September 28th, the FBI and the US Department of Homeland Security issued a joint statement about the increasing risks of Remote Desktop Protocol (RDP) attacks. According to the two US agencies, the use of RDP as an attack vector or way into your systems has been steadily on the increase. They are warning individuals and organisations to put measures in place to protect themselves against this type of attack.

While the Register might have dismissed the advice as “The bleedin' obvious”, attacks of this kind have been on the increase since 2016. The FBI and USDHS cited a brute force attack - SamSam - on RDP credentials against a healthcare company earlier this year which left thousands of its machines encrypted before the attack was detected. The risks are real – and businesses would be well advised to take the necessary precautions.

Grant McGregor answers a few key questions, so you can find out everything you need to know about RDP attacks.

What is RDP?

Microsoft's Remote Desktop Protocol (RDP) allows you to connect to remote Windows based desktops or applications running on a Windows Server. To do this, the user employs RDP client software, while the other computer must run RDP server software.

How do attackers launch RDP attacks?

The University of California at Berkeley points out that if “any time Administrator access to a system is granted remotely there are risks”. These risks are greater if you are using weak passwords or outdated versions of RDP that allow so-called 'man-in-the-middle' attacks.

The number of malware instances which support RDP attacks is mushrooming. They include SamSam - as mentioned previously, CrySiS, a ransomware that targets businesses through open RDP ports, and CryptON, which uses brute force attacks to gain access to RDP sessions.

There is also a thriving market for cyber criminals buying and selling RDP login credentials over the dark web.

What is at risk through RDP attacks?

Attackers exploit vulnerable RDP sessions over the Internet. These types of attacks allow cyber attackers to gain unrestricted access to the default RDP port (3389). They can then steal login credentials, compromise identities, and steal or ransom data.

Why are RDP attacks growing in number?

As well as the growing number of exploits available for hackers to use on RDP vulnerabilities, RDP exploits are popular with attackers because intrusions are more difficult to detect. An attacker can control a computer over the Internet without requiring user input.

How can businesses protect themselves?

Security controls are vital to protect your business against RDP attacks. This includes ensuring that RDP versions are up to date and using strong passwords.

Wherever possible, disable the service if it is not needed. If the service is required, install all available patches regularly and enable account lockout policies.

As a quick checklist, Grant McGregor recommends:

• Minimise use – restrict access to and use of RDP where possible (for users and critical devices)
• Make it harder to access – with strong passwords and, better still, two-factor authentication
• Maintain updates or patching – to both systems and software
• Monitor activity – to ensure attackers aren’t targeting your business
• Minimise network exposure – so if attackers do get in, the damage they can wreak is limited
• Make good backups – a regular and proven backup strategy will facilitate recovery from data loss or unwanted encryption

What should businesses be monitoring with regards to RDP attacks?

You should be monitoring for brute-force activity in general, and this will be an important part of protecting yourself against RDP attacks, specifically against RDP port 3389. Experienced administrators may wish to change the port used for RDP as an extra layer of protection.

What extra protection do I need to take if I use cloud services?

The process for securing your virtual machines against RDP attacks is similar to the process of securing your physical machines. We recommend ensuring your virtual machines do not have open RDP ports, unless there is a compelling business reason. If you need open RDP ports, seek advice from your cloud provider about the best way to secure them.

What should I do if I suspect I have been victim of an RDP attack?

If your data or machines have been compromised, you may well need to revert to backups to restore services. If necessary, reach out to Grant McGregor for additional support and professional help to restore systems and services.

If data has been compromised, under GDPR you have a responsibility to report the fact to the Information Commissioner’s office. Do this swiftly so you don’t leave yourself open to later problems. The ICO can also offer helpful advice about how to protect your business data.

Unfortunately, the FBI and USDHS have left the onus very much on individuals and businesses to protect their own data, so if you need help securing RDP clients and ports within your organisation, please reach out for assistance from the Grant McGregor security team.

If you would like more information about how to secure your organisation against RDP attacks, contact the Grant McGregor security team on 0808 164 4142.

Photo by Pakata Goh on Unsplash