Continually monitoring the cyber threat landscape is an essential part of effective cyber risk mitigation. Threats are constantly changing, so you need to stay up to date on what’s going on in the digital world.
Just last month, the FBI’s division responsible for monitoring cyber attacks, the Internet Crime Complaint Center (IC3) issued a warning regarding how hackers are now exploiting RDP (Remote Desktop Protocol) endpoints as a means of gaining access to computer systems. The warning encourages companies to make sure their RDPs are secure.
What is RDP?
RDP is a technology that has been used by Microsoft for almost thirty years. It stands for Remote Desktop Protocol that allows the computer user to log in virtually and interact with their computer using a visual interface.
The idea of a “remote desktop” is that you can see and access your computer’s desktop from any remote connection. In past years, this technology has been invaluable because it lets a user log in to their work computer from a home PC or to access files from another computer while at a business conference or meeting. Usually, this type of access would be limited to system administrators who would be the most likely to need access to this data while “in the field” working remotely.
FBI warning highlights how widespread RDP is used.
The FBI’s warning specifically has drawn attention to the fact that more and more computers are now having the RDP connection left accessible, leaving them vulnerable to exploitation by hackers. This has become a bigger problem over the last two years and is corroborated by several cyber security companies.
For instance, Rapid7 recently reported that the number of RDP enabled computers had increased by almost 2 million in an eighteen month time span. They also specifically identified 24 major vulnerabilities to RDP connections that were identified by Microsoft and repaired using patches and updates.
Unfortunately, if this data is available to the general public, you can guarantee that it has caught the attention of hackers who are looking for a way to use this opening to their benefit.
How do hackers attack an RDP connection?
They do this by looking for a computer with an exposed RDP connection that allows them an entrance into that computer system. Once they are allowed access, they can steal data or insert viruses and malware into your system. One of the more insidious attacks that has come through these exposed RDP connections has been ransomware.
Once the hackers have that gateway into the system, they can spread and replicate the ransomware virus until it virtually shuts down an entire company network. (Specifically, the following ransomware attacks have been linked to RDP connections: Apocalypse, BitPaymer, CryptOn, Horsuke, LockCrypt, RSAUtil, SamSam, Scarabey, and SynAck, among several others.) Once infected, the network’s data is then encrypted and the hackers will not release the information (or access to the computers) until the ransom is paid, usually in BitCoin.
Hackers split up the work of cyber attacking your RDP connection.
If you’re a hacker that doesn’t want to both finding computers with vulnerable RDP connections, you have another option – buy a list of these computers from other hackers. Yes, there are online sources for hackers to share information for money. RDP wholesalers of RDP (one of which goes by the nickname RDPWalMart) are having more and more traffic despite the fact they’ve been identified as compilers of this data. The hackers are even using social media as a means of advertising their RDP lists to bidders.
FBI gives businesses tips to prevent RDP cyber-attacks.
As part of their warning, IC3 is encouraging businesses to audit their networks and disable the RDP connections until they can fully secure them using patches and updates. Also, businesses should ensure that their users cannot access RDP ports publicly, but instead have to do so from behind a firewall (and then only after logging in with a VPN to add another level of security). By doing this and taking practical steps as part of a long-term security protocol, users can help protect themselves from this vulnerability.
INSUREtrust wants your business to be safe from hacking. Learn more about how we can help you to assess your weak points, create a prevention plan and actively protect your network.