FBI Alert: Cybercriminals Exploit Remote Desktops

The FBI has issued an alert regarding cyber actors exploiting RDP to carry out malicious activity. Everything you need to know to protect yourself is here.

Updated on May 23rd, 2019

The SMB Guide is reader-supported. When you buy through links on our site, we may earn an affiliate commission. Learn more

The Federal Bureau of Investigation (FBI) and Department of Homeland Security (DHS) have issued a warning that cybercriminals have developed methods of exploiting remote desktop protocol (RDP) sessions over the internet to compromise identities, steal login credentials, and ransom sensitive information.

The FBI and DHS recommend businesses and private citizens assess and understand what remote accesses their networks allow, and take steps to minimize the likelihood of a compromise, and subsequent vulnerability to threat actors.

A threat actor—also known as a malicious actor—is a person or entity that is partially or wholly responsible for an event or incident that impacts, or has the potential to impact, the safety or security of another entity, such as an organization.

RDP is a proprietary network protocol that allows an individual to control the resources and data of a computer over the internet. These intrusions are hard to detect, as these attacks do not require user input.

1. Review your networks.

Examine your network for systems using RDP for remote communication. Disable the service if not needed or install available patches, but confirm with your technology vendor patches will not affect system processes.

2. Check for open RDP ports.

Confirm all cloud-based virtual machine instances with a public IP do not have open RDP ports— specifically port 3389—unless there is a valid business reason to do so.

3. Put systems with open RDP ports behind a firewall.

Ensure users are using a Virtual Private Network (VPN) to access open RDP ports through the firewall.

4. Enable strong passwords and account lockout policies to defend against brute-force attacks.

Use two-factor authentication where possible.

5. Perform system and software updates routinely.

Retain a solid back-up strategy.

6. Prepare logging and ensure logging mechanisms capture RDP logins.

Retain logs for a minimum of 90 days, and assess these routinely to detect intrusion attempts.

7. Follow cloud providers best practices for remote access when cloud-based virtual machines.

Guarantee third parties that require RDP access are required to follow internal policies on remote access.

8. Minimize network exposure for all control system devices.

Ensure critical devices do not have RDP enabled where possible, and monitor and restrict external to internal RDP connections.

9. Utilize secure methods, such as VPNs.

Always remember VPNs are only as secure as the connected devices when external access to internal resources is required.

What Makes You Vulnerable to Attacks by Threat Actors
What Makes You Vulnerable to Attacks by Threat Actors:
  • Using weak passwords.
  • Enabling unlimited login attempts to a user account.
  • Using outdated versions of RDP.
  • Enabling unrestricted access to default RDP port TCP 3389.

Understanding Common Threats:

Threat

Description

CrySIS Ransomware

Targets US businesses through open RDP ports, and uses brute-force and dictionary attacks to gain unauthorized remote access. Threat actors insist on payment in Bitcoin in exchange for a decryption key

SamSam Ransomware

Uses a wide range of exploits such as attacking RDP-enabled machines. Uses brute-force attacks.

CryptON Ransomware

Gets access to RDP sessions, and uses brute-force attacks to then allows a threat actor to manually execute malicious programs. Cyber actors usually request Bitcoin in exchange for decryption directions

Dark Web Exchange

Threat actors buy and sell stolen RDP login credentials on the Dark Web.

Further Reading:

Click here to find out how to protect yourself against cyber scamsters.