FBI warns companies about hackers increasingly abusing RDP connections

Millions of RDP endpoints remain exposed online and vulnerable to exploit, dictionary, and brute-force attacks.
Written by Catalin Cimpanu, Contributor

In a public service announcement published today by the US Federal Bureau of Investigation's (FBI) Internet Crime Complaint Center (IC3), the FBI is warning companies about the dangers of leaving RDP endpoints exposed online.

RDP stands for the Remote Desktop Protocol, a proprietary technology developed by Microsoft in the 90s that allows a user to log into a remote computer and interact with its OS via a visual interface that includes mouse and keyboard input --hence the name "remote desktop."

RDP access is rarely enabled on home computers, but it's often turned on for workstations in enterprise networks or for computers located in remote locations, where system administrators need access to, but can't get to in person.


Also: Researchers find vulnerability in Apple's MDM DEP process

In its alert, the FBI mentions that the number of computers with an RDP connection left accessible on the Internet has gone up since mid and late 2016.

This assertion from the FBI correlates with numbers and trends reported by cyber-security firms in the past few years. For example, just one company, Rapid7, reported seeing nine million devices with port 3389 (RDP) enabled on the Internet in early 2016, and that number rose to over 11 million by mid-to-late 2017.

Hackers, too, read cyber-security reports. Early warnings from the private sector about the increasing number of RDP endpoints caught hackers' attention long before sysadmins.

For the past few years, there has been a constant stream of incident reports in which investigators found that hackers got an initial foothold on victims' networks thanks via a computer with an exposed RDP connection.

Nowhere has this been more the case than in ransomware attacks. Over the past three years, there have been tens of ransomware families that were specifically designed to be deployed inside a network after attackers gained an initial foothold, which in many cases ended up being an RDP server.

Ransomware specifically designed to be deployed via RDP includes strains such as CryptON, LockCrypt, Scarabey, Horsuke, SynAck, Bit Paymer, RSAUtil, Xpan, Crysis, Samas (SamSam), LowLevel, DMA Locker, Apocalypse, Smrss32, Bucbi, Aura/BandarChor, ACCDFISA, and Globe.

Here's just one user recounting one event on Reddit where hackers broke in via RDP and launched ransomware that encrypted countless of his systems.

Also: IoT attacks are getting worse CNET

There are three ways in which hackers usually tend to get in. The easiest way is when sysadmins enable RDP access on a server and don't set up a password. Anyone accessing that computer's IP address on port 3389 will be prompted by a login screen where they can log in just by pressing Enter.

The second way is derived from the first but requires on attackers either guessing login credentials (via a brute-force attack) or by using precompiled lists of common username-password combos (via dictionary attacks).

The third method also relies on mass-scanning the internet, but instead of guessing credentials, attackers deliver exploit code for known vulnerabilities in the RDP protocol. If the port is exposed, then hackers can exploit it.

According to Rapid7, between 2002 and late early 2017, there have been 20 Microsoft security updates specifically related to RDP, updates that fixed 24 major vulnerabilities. Patches for RDP continued even after Rapid7 stopped counting, with the latest of these fixes being deployed this March for a flaw in CredSSP, one of the smaller protocols part of the RDP package.

Also: How to access Microsoft Remote Desktop on your Mac TechRepublic

In an interview with ZDNet about the FBI's alert, Mark Dufresne, VP, Threat Research and Prevention at cyber-security Endgame, shared some of his dealings with the RDP threat.

"RDP has been baked into Windows for a very long time and has been abused by attackers since it became widely deployed," Dufresne told ZDNet.

"We can look at sources like greynoise.io to see that attackers are constantly looking for open RDP connections," he added. "Almost a thousand unique IPs were looking for RDP services listening on the default port each day over the past week."

Once attackers get in, it's all fair game, unless they're not careful and security products expose their presence.

But not all RDP compromises result in ransomware infections, data theft, or malicious behavior. Some of the people behind these RDP scans don't always exploit the hacked systems --at least not directly-- and stockpile hacked RDP endpoints to sell online.

Since mid-2016, just about when cyber-security firms were noting a rise in RDP servers, a group of hackers set up xDedic, a web portal where they and other criminals could sell or buy these hacked and hoarded RDP systems.

Initially, it was said that xDedic provided crooks access to over 70,000 hacked RDP endpoints, but one year later, despite the media attention and attempts to take down the site, xDedic's RDP server pool had gone up to 85,000.

But xDedic was only the beginning. Other copycat "RDP shops" --as they became to be known as-- popped up everywhere. This reporter has been tracking some of these services for the past few years on Twitter [ 1, 2, 3, 4, 5, 6].

The most recent of these was discovered just this summer, in July. McAfee security researchers found it peddling access to RDP workstations located on some pretty sensitive places such as airports, government, hospitals, and nursing homes.

But these shops wouldn't be a problem unless people stopped exposing RDP endpoints altogether. Through its alert, the FBI is now urging companies to secure these systems before it's too late and they get hacked.

Together with the Department of Homeland Security, the two agencies have published today the following advice in regards to improving RDP security.

  • Audit your network for systems using RDP for remote communication. Disable the service if unneeded or install available patches. Users may need to work with their technology vendors to confirm that patches will not affect system processes.
  • Verify all cloud-based virtual machine instances with a public IP do not have open RDP ports, specifically port 3389, unless there is a valid business reason to do so. Place any system with an open RDP port behind a firewall and require users to use a Virtual Private Network (VPN) to access it through the firewall.
  • Enable strong passwords and account lockout policies to defend against brute-force attacks.
  • Apply two-factor authentication, where possible.
  • Apply system and software updates regularly.
  • Maintain a good back-up strategy.
  • Enable logging and ensure logging mechanisms capture RDP logins. Keep logs for a minimum of 90 days and review them regularly to detect intrusion attempts.
  • When creating cloud-based virtual machines, adhere to the cloud provider's best practices for remote access.
  • Ensure third parties that require RDP access are required to follow internal policies on remote access.
  • Minimize network exposure for all control system devices. Where possible, critical devices should not have RDP enabled.
  • Regulate and limit external to internal RDP connections. When external access to internal resources is required, use secure methods, such as VPNs, recognizing VPNs are only as secure as the connected devices.

These are 2018's biggest hacks, leaks, and data breaches

Previous and related coverage:

What is malware? Everything you need to know

Cyber attacks and malware are one of the biggest threats on the internet. Learn about the different types of malware - and how to avoid falling victim to attacks.

Security 101: Here's how to keep your data private, step by step

This simple advice will help to protect you against hackers and government surveillance.

VPN services 2018: The ultimate guide to protecting your data on the internet

Whether you're in the office or on the road, a VPN is still one of the best ways to protect yourself on the big, bad internet.

FBI solves mystery surrounding 15-year-old Fruitfly Mac malware

Fruitfly malware author used port scanning with weak or no passwords to identify potential victims.

Meet Torii, a new IoT botnet far more sophisticated than Mirai variants

The evolving IoT botnet is able to compromise an impressive array of architectures.

Teenage Apple hacker avoids jail for 'hacky hack hack' attack

The self-proclaimed Apple fan stole roughly 90GB of confidential data from the iPad and iPhone maker.

Related stories:

Editorial standards