Using a remote desktop? Your business is at risk

Hackers are using RDPs as backdoors to plant malware in your systems
1 October 2018

Remote desktop is convenient for accessing your machine from any location in the world. It also means hackers can potentially get access as well. Source: Shutterstock

Hackers are accessing your businesses via backdoors that are left open on the internet, warned the US Federal Bureau of Investigation’s (FBI) Internet Crime Complaint Center (IC3).

Remote Desktop Protocols (RDP) is a technology developed by Microsoft to allow users to log into a computer via another device while away from the physical machine.

However, if the connection is left open, hackers can access them too.

While most home computers generally have no use for this function, RDP is often enabled for workstations in enterprise networks. Especially for system administrators, RDP is convenient for accessing machines in remote locations where it’s difficult to get to in person.

According to the alert issued by the FBI, there is an increasing number of RDP connections that are accessible online.

FBI’s findings are in line with trends reported by the cybersecurity industry in the past few years.

In a report by Rapid 7, the number of open RDP connections globally increased from 9 million in 2016 to 11 million by July 2017. More than a quarter of them are situated in the US.

Early warnings from the private sector on the risks of RDP is a double-edged sword – hackers read cybersecurity reports too; they are far quicker than sysadmins in picking up on these vulnerabilities.

Incidents where malicious actors were able to get initial access to a victim’s network via an exposed RDP connection was increasing. This is especially prevalent in ransomware attacks. A lot of malware were designed to be deployed after it has gained access to a network, which in these cases is an RDP server.

In the alert, the FBI said there are four main exploits that give hackers a way in – weak passwords that are vulnerable to brute force attacks, having outdated versions of RDP that uses a flawed encryption mechanism, allowing unrestricted access to the default RDP port, and allowing unlimited login attempts to a user account.

Rapid 7’s report noted that since 2002, Microsoft has released at least 20 security updates pertaining to RDP.

However, not every RDP that has been compromised end up with users losing data or being infected with ransomware. Instead of directly hacking the systems, some of these RDP enabled endpoints’ credentials are stockpiled and sold online.

One such marketplace is xDedic, a web portal that is used as a trade hub for compromised servers. Although the site has been shut down, it has re-emerged in the Tor dark web.

Kaspersky estimates more than 70,000 credentials were listed on the site, which includes government and corporate networks from different countries. Some were listed for as little as US$8 per server.

xDedic started a trend of copycat forums selling compromised server credentials, known as “RDP shops”. In fact, one of the most recent shops were found by McAfee researchers in July, which is said to list RDP connections to sensitive areas such as airports, government, hospitals, and nursing homes.

There’s really only one way to stop these RDP shops – by not exposing RDP connections at all. However, that’s not always possible, especially as work becomes increasingly mobile.

Businesses must take precautions and have strong security measures in place, to ensure that networks are not exposed and vulnerable to attacks. In some instances, it’s as simple as implementing stronger passwords, having a good backup strategy, and constantly updating any new patches that are available.