The threat from RDP attacks that spread ransomware has always been present. RDP is a popular MO for cybercriminals because it allows easy access to a device.
The last 5 years have seen a vast increase in RDP attacks, with cybercriminals taking advantage of the coronavirus pandemic and even the Ukrainian conflict to attack both vulnerable businesses and individuals, holding their systems and files to ransom.
Many remain uninformed about the risks associated with using RDP and how it leaves their systems and devices vulnerable to attack. If you’re one of them, we’ve put together all the information you need to help protect your devices and networks from the threat of cybercriminals.
What is RDP?
RDP stands for Remote Device Protocols. RDP is an integral part of computer operating systems that allow users to connect to their devices remotely.
It’s a very useful feature. RDP allows those who work from home to access the computer in their office, and IT experts can fix a device from anywhere in the world, just like docusign alternatives free you up from having to be physically present to sign digital documents.
To log into a computer using RDP you find your device by typing in its internet address, then enter your username and password. Once you’re logged on, you can then access the computer, via the remote connection, in the same way as if it were sitting before you.
However, internet addresses (also known as IP addresses) can be found by anyone. This easy way to gain access to vulnerable computers makes RDP attacks so popular with cybercriminals.
The Worrying Increase In RDP Attacks
RDP came into its own in March 2020 with the onset of the coronavirus pandemic. Millions around the globe abandoned their offices to work remotely from home using cloud-based software like that from a business phone app provider.
Many large businesses were already protected against the threat of RDP attacks but countless more were not, and cybercriminals were ready, and eager, to take advantage of the millions now using RDP.
RDP attacks soared. According to Kaspersky, global attacks in March 2020 increased by 197% to 277.4 million, from 93.1 million in February. Only a year later, Kaspersky reported that for many countries that number had tripled, and for some it had increased tenfold.
RDP attacks have always been popular because they provide an easy way for attackers to take over a machine and gain complete control. With many companies planning to continue remote working, even when the risk from the coronavirus pandemic has reduced, cybercriminals will continue to take advantage of unprotected RDP ports.
It’s up to individuals and businesses to ensure they are doing all they can to minimize the risk of attack and protect their devices.
How Do RDP Attacks Occur?
Hackers use your IP address to locate a device and scan for any open RDP ports. They then use those ports to try to log on to that device by guessing the username and password.
This technique is called “brute force guessing”. Hackers use computer programs to guess passwords. If it guesses incorrectly the program simply keeps going until it gets through.
These computer programs have been designed to break the most frequently used passwords and unfortunately, weak passwords are commonplace.
An entire criminal industry has grown around building programs to make RDP attacks easier. Hackers that use these programs to guess passwords usually do not keep the passwords they steal for themselves.
They are employed by other criminals or work freelance, selling the passwords they have stolen to those who will use them to break into your devices.
Once they have unlimited access to your device or system, RDP attackers can:
- Access multiple endpoints connected to a single network. To access the system network for one company, they only need to hack into one computer and then use the network to infiltrate all the devices connected to that network.
- Deploy ransomware or malware. A common example is to lock the login screen for all users. A screen will appear, most often claiming to be a government authority, which displays the ransom fee and an email address. They include a demand for payment to release your device and the mode of payment to use.
- Uninstall antivirus and other security software, leaving your device vulnerable to other attacks.
Deploy spyware to monitor how you use your device. They can use this to identify passwords for digital banking and social media and use them to hack into your accounts.
- Delete any system backups, both on the system and cloud. They could also wipe your entire system and steal data. This is particularly worrying for businesses that must adhere to data protection legislation regarding the personal data of their employees, customers, and business partners. A data breach will not bode well for their define CSAT.
- Disable the F8 startup key, preventing re-booting the device in safe mode.
- Change the system configuration setting and make the system more vulnerable to attacks from them, or others with malicious intent. This is often known as “leaving a backdoor open” for future use.
No one is safe from RDP attacks, be they individuals, small enterprises, or global giants. If you’ve ever asked what is call waiting, you’ll have learned that you receive an automatic notification when another call is incoming. Unfortunately with RPD attacks you won’t get an alert that someone has infiltrated your system until it’s too late.
In February 2022, American NFL football team the San Francisco 49ers was a victim of ransomware when hackers stole company financial data. In the same month, hackers shut down the IT systems of the German oil company, Oiltanking Group. This, in turn, shut down gas stations across Germany, and even impacted oil giant, Shell.
RDP attacks can cause a great deal of damage, especially to businesses that must demonstrate legislative compliance if they wish to avoid paying the criminals and hefty fines.
How To Reduce The Risk Of An RDP Attack
While it’s impossible to protect your devices against every attack (let’s face it, cybercriminals are always looking for new ways to breach systems), you can take a proactive stance and minimize the risk of RDP attacks.
1. Do You Need It?
RDP is a useful protocol to help you remotely access your devices. However, it leaves your system vulnerable to attack. If you only use your device to access the banking cloud, think carefully about whether to use RDP.
You may think you’ve done everything you can to reduce the risk of a brute force attack. But, as previously mentioned, hackers are persistent, proactive, and always looking for new ways to find vulnerabilities and exploit them.
The simplest way to protect your device is to seal off that potential door. If you don’t need RDP, turn it off.
2. Limit User Access
The more users who have RDP access to your devices, the more potential access points are available to hackers.
Businesses that adopt remote working should establish robust digital security policies that only allow remote access to those who need it. Adopt the principle of least privilege. Install levels of security access which limit users to the system information they need to fulfill their role and nothing more. For example, your design team may need to access Royalty Free Images, but don’t need to access personnel records. These policies should be regularly reviewed and updated to ensure they are relevant.
You can also limit access to specific IP addresses. Authorizing certain IP addresses to access your RDP will automatically block unknown IP addresses and make it more difficult for hackers to infiltrate your system.
Reducing the number of users with RDP access (and the amount of information they have access to) reduces the number of potential points a hacker can use to try to access your system.
3. Use Strong Passwords
Even with the best cybersecurity software solutions, it’s easy for hackers to guess weak and commonly used passwords, but it’s also not easy to ensure your system users don’t use weak passwords.
At the end of the day, we’re all a bit lazy. We often use the same password for multiple accounts and don’t change them regularly enough. We also want something easy to remember, but it’s those passwords, like birthdays and names, that are commonly used and easy to guess.
Try to use moderately strong passwords: Use words that are not in the dictionary, mix capitals and lowercase, and include numbers and symbols if you can. Don’t use a password featuring “Australia” for your account on the domain names registration Australia page.
It’s easier said than done, but businesses should actively encourage the adoption of strong passwords with their employees as the first line of defense.
4. Use Rate Limiting.
If you can’t ensure the adoption of strong passwords, rate limiting will help strengthen your defense against RDP attacks.
You can use rate limiting to set the number of permitted login attempts. Computer programs that race through password guesses will be brought to a halt if you limit the number of attempts they can make before shutting them out, especially if you restrict it to a small number of failed attempts.
5. Use Multi-factor Authentication (MFA)
MFA can be time-consuming and quite expensive to adopt and support. However, adding that extra layer of user authentication can make it harder for hackers to infiltrate your system.
Many email providers require MFA when logging on, especially when using a new device. As well as your password, they also ask you to enter a six-digit code sent to another device, like a cell phone.
However, methods that do not require user interaction, such as hardware keys and client certificates, are the most robust and protective form of MFA.
6. Use A VPN
If you use a virtual private network, you add another level of defense to your system.
A VPN removes your devices from direct communication with the internet. It’s then up to the VPN to protect your point of access from hackers.
However, those persistent hackers have already begun to locate and exploit the vulnerabilities in VPNs, so it’s important to know your provider’s security measures and policies regarding RDP breaches on their software.
7. Use A Remote Desktop Gateway Server
As well as additional security, a remote desktop server can be useful if you become the victim of an attack. Remote servers log RDP sessions and can help to investigate any breaches. Intruders cannot modify or delete the sessions logged on a remote server.
8. Include Network Level Authentication (NLA)
NLA requests another security test such as word captcha, tick the relevant pictures, or an ‘I am not a robot’ checkbox before allowing access.
Layering the protection is key to outwitting the password guessing programs. The more layers a program must pass, the more likely it will give up and try another device.
Like those who argue about the differences between software development vs. manufacturing, you, or your employees may argue about the additional levels that need to be passed before access will be permitted,
but what’re a few extra minutes of security checks compared to a 6-figure ransom in return for access to your systems?
Here are a couple of extra things you can do to help support the above measures but should not be used alone.
Change The RDP Port
Every device has a default RDP port, numbered 3389. Though it will not stop a determined hacker from accessing your RDP, you may be able to reduce the number of attempted attacks by changing the port number.
Change The “Administrator” Username
Again, all device default administrators are given the username, “Administrator” (or a local equivalent). As such, many programs are set to simply guess the password for the user named, “Administrator”. Changing it to something obscure won’t necessarily protect you from attack, but it will make it harder.
What If You’re Attacked?
If you do become the victim of an RDP attack you will need to assess what went wrong and implement more robust security protocols. Do not underestimate the impact of data breaches, especially for small businesses.
If you pay the ransom and retrieve your files you must check for any changes, hidden malware, and anything that may leave a backdoor open for future attacks.
By paying the ransom you have made yourself more vulnerable because the hackers know you’re willing to pay.
Time To Act
With such an increase in RDP attacks and the threat of ransomware, it makes sense to take action to help protect your vulnerable devices, whether you are an individual or an enterprise.
While it’s impossible to be prepared for every attack, especially when cybercriminals always seem to be one step ahead and willing to take advantage of every opportunity to scam their potential victims, there are steps you can take to help minimize the risk.
Grace Lau – Director of Growth Content, Dialpad
Grace Lau is the Director of Growth Content at Dialpad, an AI-powered cloud that offers a multi line phone systems small business platform for better and easier team collaboration. She has over 10 years of experience in content writing and strategy. Currently, she is responsible for leading branded and editorial content strategies, partnering with SEO and Ops teams to build and nurture content. Grace Lau also published articles for domains such as UpCity and Soundstripe. Here is her LinkedIn.