Security Experts:

Connect with us

Hi, what are you looking for?


Network Security

RDP Increasingly Abused in Attacks: FBI

Cyberattacks leveraging the remote desktop protocol (RDP) have been on the rise for the past couple of years, fueled by the emergence of dark markets selling RDP access, the Federal Bureau of Investigation (FBI) warns.

Cyberattacks leveraging the remote desktop protocol (RDP) have been on the rise for the past couple of years, fueled by the emergence of dark markets selling RDP access, the Federal Bureau of Investigation (FBI) warns.

Malicious actors have created new methods of identifying and exploiting vulnerable RDP sessions over the web and both businesses and private users should take steps to reduce the likelihood of compromise, a joint alert from the FBI and Department of Homeland Security (DHS) reads.

RDP provides users with the ability to control a remote machine over the Internet. While authentication with a username and password are required to establish a remote desktop connection, attackers can infiltrate such connections and inject malware onto the remote system.

Assaults that abuse RDP do not require user input and the intrusion is difficult to detect. By abusing RDP sessions, malicious actors can compromise identities, steal login credentials, and ransom other sensitive information, the alert reads.

To perform RDP attacks, hackers target weak passwords (those which contain dictionary words or do not include a mixture of uppercase/lowercase letters, numbers, and special characters) and flaws in outdated versions of RDP, but also abuse unrestricted access to the default RDP port (TCP 3389) and unlimited login attempts to a user account.

Some of the threats known to abuse RDP include the CrySIS ransomware (primarily targeting US businesses, it demands a payment in Bitcoin in exchange for a decryption key), CryptON ransomware (which allows actors to manually execute malicious programs on the compromised machine), and Samsam ransomware (which is estimated to have generated over $6 million in revenue to its operator).

“Threat actors buy and sell stolen RDP login credentials on the Dark Web. The value of credentials is determined by the location of the compromised machine, software utilized in the session, and any additional attributes that increase the usability of the stolen resources,” the FBI alert reads.

Because the use of RDP creates risk, given the ability to remotely control a system entirely, the FBI and DHS recommend closely regulating, monitoring, and controlling usage. This includes auditing networks for systems using RDP and disabling the service where it is not needed.

Businesses should also verify that cloud-based virtual machine instances with a public IP do not have open RDP ports unless needed, and should place systems with an open RDP port behind a firewall. Furthermore, they should require the use a Virtual Private Network (VPN) for RDP access.

The use of strong passwords and account lockout policies should help defend against brute-force attacks, the same as two-factor authentication. Keeping systems and software updated should eliminate vulnerabilities, while a good back-up strategy ensures that systems can be easily restored in case of an attack.

Organizations should also enable logging to capture RDP logins, adhere to the cloud provider’s best practices for remote access when creating cloud-based virtual machines, and require third parties follow internal policies on remote access.

The FBI and DHS also recommend businesses to minimize network exposure for all control system devices and remove RDP from critical devices where possible, as well as to regulate and limit external to internal RDP connections.

Related: Hacker Offers Access to Machine at International Airport for $10

Related: RDP Tops Email for Ransomware Distribution: Report


Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Cybersecurity Funding

Forward Networks, a company that provides network security and reliability solutions, has raised $50 million from several investors.

Network Security

Cisco patched a high-severity SQL injection vulnerability in Unified Communications Manager (CM) and Unified Communications Manager Session Management Edition (CM SME).

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...