In a public service announcement published today by the US Federal Bureau of Investigation's (FBI) Internet Crime Complaint Center (IC3), the FBI is warning companies about the dangers of leaving RDP endpoints exposed online.
RDP stands for the Remote Desktop Protocol, a proprietary technology developed by Microsoft in the 90s that allows a user to log into a remote computer and interact with its OS via a visual interface that includes mouse and keyboard input --hence the name "remote desktop."
RDP access is rarely enabled on home computers, but it's often turned on for workstations in enterprise networks or for computers located in remote locations, where system administrators need access to, but can't get to in person.
Also: Researchers find vulnerability in Apple's MDM DEP process
In its alert, the FBI mentions that the number of computers with an RDP connection left accessible on the Internet has gone up since mid and late 2016.
This assertion from the FBI correlates with numbers and trends reported by cyber-security firms in the past few years. For example, just one company, Rapid7, reported seeing nine million devices with port 3389 (RDP) enabled on the Internet in early 2016, and that number rose to over 11 million by mid-to-late 2017.
Hackers, too, read cyber-security reports. Early warnings from the private sector about the increasing number of RDP endpoints caught hackers' attention long before sysadmins.
For the past few years, there has been a constant stream of incident reports in which investigators found that hackers got an initial foothold on victims' networks thanks via a computer with an exposed RDP connection.
Nowhere has this been more the case than in ransomware attacks. Over the past three years, there have been tens of ransomware families that were specifically designed to be deployed inside a network after attackers gained an initial foothold, which in many cases ended up being an RDP server.
Ransomware specifically designed to be deployed via RDP includes strains such as CryptON, LockCrypt, Scarabey, Horsuke, SynAck, Bit Paymer, RSAUtil, Xpan, Crysis, Samas (SamSam), LowLevel, DMA Locker, Apocalypse, Smrss32, Bucbi, Aura/BandarChor, ACCDFISA, and Globe.
Here's just one user recounting one event on Reddit where hackers broke in via RDP and launched ransomware that encrypted countless of his systems.
Also: IoT attacks are getting worse CNET
There are three ways in which hackers usually tend to get in. The easiest way is when sysadmins enable RDP access on a server and don't set up a password. Anyone accessing that computer's IP address on port 3389 will be prompted by a login screen where they can log in just by pressing Enter.
The second way is derived from the first but requires on attackers either guessing login credentials (via a brute-force attack) or by using precompiled lists of common username-password combos (via dictionary attacks).
The third method also relies on mass-scanning the internet, but instead of guessing credentials, attackers deliver exploit code for known vulnerabilities in the RDP protocol. If the port is exposed, then hackers can exploit it.
According to Rapid7, between 2002 and late early 2017, there have been 20 Microsoft security updates specifically related to RDP, updates that fixed 24 major vulnerabilities. Patches for RDP continued even after Rapid7 stopped counting, with the latest of these fixes being deployed this March for a flaw in CredSSP, one of the smaller protocols part of the RDP package.
Also: How to access Microsoft Remote Desktop on your Mac TechRepublic
In an interview with ZDNet about the FBI's alert, Mark Dufresne, VP, Threat Research and Prevention at cyber-security Endgame, shared some of his dealings with the RDP threat.
"RDP has been baked into Windows for a very long time and has been abused by attackers since it became widely deployed," Dufresne told ZDNet.
"We can look at sources like greynoise.io to see that attackers are constantly looking for open RDP connections," he added. "Almost a thousand unique IPs were looking for RDP services listening on the default port each day over the past week."
Once attackers get in, it's all fair game, unless they're not careful and security products expose their presence.
But not all RDP compromises result in ransomware infections, data theft, or malicious behavior. Some of the people behind these RDP scans don't always exploit the hacked systems --at least not directly-- and stockpile hacked RDP endpoints to sell online.
Since mid-2016, just about when cyber-security firms were noting a rise in RDP servers, a group of hackers set up xDedic, a web portal where they and other criminals could sell or buy these hacked and hoarded RDP systems.
Initially, it was said that xDedic provided crooks access to over 70,000 hacked RDP endpoints, but one year later, despite the media attention and attempts to take down the site, xDedic's RDP server pool had gone up to 85,000.
But xDedic was only the beginning. Other copycat "RDP shops" --as they became to be known as-- popped up everywhere. This reporter has been tracking some of these services for the past few years on Twitter [ 1, 2, 3, 4, 5, 6].
The most recent of these was discovered just this summer, in July. McAfee security researchers found it peddling access to RDP workstations located on some pretty sensitive places such as airports, government, hospitals, and nursing homes.
But these shops wouldn't be a problem unless people stopped exposing RDP endpoints altogether. Through its alert, the FBI is now urging companies to secure these systems before it's too late and they get hacked.
Together with the Department of Homeland Security, the two agencies have published today the following advice in regards to improving RDP security.
What is malware? Everything you need to know
Cyber attacks and malware are one of the biggest threats on the internet. Learn about the different types of malware - and how to avoid falling victim to attacks.
Security 101: Here's how to keep your data private, step by step
This simple advice will help to protect you against hackers and government surveillance.
VPN services 2018: The ultimate guide to protecting your data on the internet
Whether you're in the office or on the road, a VPN is still one of the best ways to protect yourself on the big, bad internet.
FBI solves mystery surrounding 15-year-old Fruitfly Mac malware
Fruitfly malware author used port scanning with weak or no passwords to identify potential victims.
Meet Torii, a new IoT botnet far more sophisticated than Mirai variants
The evolving IoT botnet is able to compromise an impressive array of architectures.
Teenage Apple hacker avoids jail for 'hacky hack hack' attack
The self-proclaimed Apple fan stole roughly 90GB of confidential data from the iPad and iPhone maker.