People now forced to work from home because of the coronavirus quarantine still must do their jobs as effectively as possible. In many cases, IT staff and other employees need to remotely connect to workstations and servers at the office, and for that they typically rely on the Microsoft Remote Desktop Protocol (RDP) built into Windows.
However, RDP poses several security risks, especially if the necessary access, accounts, and authentication are not set up properly. In a blog post published on Thursday, McAfee explains how cybercriminals are taking advantage of RDP access and what organizations can do to protect themselves.
In its blog post “Cybercriminals Actively Exploiting RDP to Target Remote Organizations,” McAfee explained that RDP often runs on Windows servers, including web servers and file servers. In some cases, it’s also used with industrial control systems.
Many systems with RDP are exposed to the internet; the number of exposed systems rose from around 3 million in January 2020 to more than 4.5 million in March. In line with that increase, the volume of attacks against RDP ports has also shot up.
SEE: How to work from home: IT pro’s guidebook to telecommuting and remote work (TechRepublic Premium)
Further, McAfee has discovered a surge in the number of RDP credentials being sold on underground markets, many at relatively low prices. In one example, the RDP credentials of a major international airport were being traded on the dark web for only $10.
Hackers typically take over accounts with RDP access through brute-force password attacks. Such attacks are particularly successful against weak passwords, which are still all too commonly used. The top most used passwords analyzed by McAfee for RDP accounts were “test,” “1,” “12345,” “password,” “Password1,” “1234,” “P@ssw0rd,” “123,” and “123456.” Some RDP systems didn’t even have a password.
Flaws are also often discovered in RDP, requiring Microsoft to issue security patches. One of the most infamous recent examples was the BlueKeep vulnerability that surfaced in 2019. In January, Microsoft also had to fix flaws related to the Remote Desktop Gateway, which is used to secure remote connections. But organizations have to apply the patches from Microsoft, otherwise they remain vulnerable to RDP exploits.
Criminals who gain remote access to an organization through RDP can use it for a variety of nefarious purposes. They can use a legitimate system to send out spam. They can use the compromised machine to distribute malware or implant a cryptominer, which taps into idle CPU power to mine cryptocurrency. They can also use a remote system to carry out additional fraud such as identity theft.
With the transition to remote working occurring so quickly and abruptly, hackers know that many organizations may not have established the proper security checks and restrictions for RDP.
To prevent RDP from being exploited in your organization, McAfee offers the following guidelines:
- Do not allow RDP connections over the open internet.
- Use complex passwords as well as multifactor authentication.
- Lock out users and block or timeout IPs that have too many failed logon attempts.
- Use an RDP gateway.
- Limit Domain Admin account access.
- Minimize the number of local admins.
- Use a firewall to restrict access.
- Enable restricted Admin mode.
- Enable Network Level Authentication (NLA).
- Ensure that local administrator accounts are unique and restrict the users who can logon using RDP.
- Consider placement within the network.
- Consider using an account-naming convention that does not reveal organizational information.