Oregon FBI Tech Tuesday: Building a Digital Defense Against Remote Desktop Protocol Threats
Welcome to the Oregon FBI’s Tech Tuesday segment. This week: Building a digital defense against Remote Desktop Protocol threats.
The FBI’s Internet Crime Complaint Center and Department of Homeland Security recently issued a new warning concerning the use of what’s called RDP or Remote Desktop Protocol. While the Remote Desktop Protocol is a Windows protocol, there are versions for MacOS and Linux. Companies sometimes use RDP to give outside vendors access to monitor systems that they support for that business. Think of an HVAC vendor who is remotely monitoring energy consumption and adjusting air temperature for a client.
What investigators have been seeing, though, is that RDP attacks against businesses have been on the rise since 2016. There are two common methods of attack. The first line of attack involves a malicious cyber actor who obtains credentials to the business’ systems by buying RDP user IDs and passwords on the Dark Web. The second line of attack involves a cyber actor who conducts a brute force attack on a network that involves using automated systems to guess username and password combinations until they get it right and gain access. A third less common method used by cyber actors is to take advantage of vulnerable, unpatched RDP services.
Once the hacker has access, he can log into a company’s network from any computer in the world. Anything that an employee can see or do on his computer—the bad guy can see and do. In many cases, the business never even knows that the hacker is there.
Access to your business system also allows the malicious actor to load malware or Ransomware onto that system, creating even more long-term problems.
Here are a few of the vulnerabilities that can put your business at risk:
- Weak passwords—including passwords that use dictionary words or those that do not include a mixture of uppercase/lowercase letters, numbers, and special characters—are vulnerable to brute-force attacks.
- Outdated versions of RDP may use flawed encryption, thus enabling a potential man-in-the-middle attack.
- Allowing unlimited login attempts to a user account.
Here’s what you can do to protect your company:
- Audit your network for systems using RDP for remote communication. Disable the service if unneeded.
- Audit RDP accounts to ensure none have been added without your knowledge. Also make sure you have only what you need on your system.
- Enable strong passwords and account lockout policies to defend against brute-force attacks.
- Apply two-factor authentication, where possible.
- Apply system and software updates regularly.
- Maintain a good back-up strategy for your data.
- Enable logging and ensure logging mechanisms capture RDP logins. Keep logs for a minimum of 90 days and review them regularly to detect intrusion attempts.
- Ensure third parties that require RDP access are required to follow internal policies on remote access.
Of course none of these protects against the final vulnerability—social engineering. Whether you are an employee at a business or an individual at home, attackers may attempt to get you to give them RDP access through pop-up messages, phone calls, or other methods. Know that no legitimate company will call or send a pop-up message to your computer requesting access.
If you would like to learn more about the RDP vulnerabilities with specific technical guidance on how to mitigate your threat, check out the Internet Crime Complaint Center’s warning at https://www.ic3.gov/media/2018/180927.aspx.
If you have been victimized by a cyber fraud, be sure to report it to the FBI’s Internet Crime Complaint Center at www.ic3.gov or call your local FBI office.