For many criminals, the fact that they can just buy remote desktop credentials means they don’t need to spend the time trying to develop their own attacks. With remote access, the network is their oyster.
Microsoft's Remote Desktop Protocol (RDP) is used legitimately by system administrators to remotely connect to Windows systems. IT support can connect to machines, troubleshoot issues, and fix problems, all without needing to go where the systems are physically located. While a powerful administration tool, RDP becomes a powerful attack tool in criminal hands. Criminals can use the same remote access tool to control the targeted system, and from there, move through the rest of the network. Potential malicious activities include credentials harvesting, account takeover, spam delivery, installing malware such as keyloggers and backdoors, and cryptocurrency mining, Flashpoint said.
“With direct access to a machine via RDP, attackers are spared the need to buy or develop malware and exploits, or put together and execute phishing campaigns,” wrote Flashpoint’s editorial director Mike Mimoso and cybercrime intelligence analyst Luke Rodeheffer. “This direct line to compromised machine is coveted, and something that Flashpoint analysts believe will continue to be an area of interest and investment for threat actors.”
Successfully connecting to the RDP server gives attackers a lot of choices. They can download and execute malicious tools directly on the machine and disable or reconfigure installed security tools so that they can move around without detection. They can download tools to launch carding and fraud campaigns from the machine. Some markets advertise mine cryptocurrency mining botnets that come with RDP scanners and lists of IP addresses to target in brute-forcing attacks, Flashpoint said.
Many ransomware families use RDP to infect machines. SamSam, for example, infected around 7,000 Windows computers and 1,900 servers at LabCorp earlier this year with ransomware after brute-forcing an RDP server. Attackers can also look for other credentials for higher-privilege or administrator accounts in order to move throughout the network.
Criminal marketplaces may sell RDP credentials to already-compromised servers or provide tools that scan for exposed RDP instances and brute-force credentials for those instances. Other tools include software to modify logs to remove all traces of attacker activity as well as scripts that automate the entire process of scanning and brute-forcing vulnerable machines. Attackers are willing to pay for these tools because it is so much cheaper to target RDP than to try to put together phishing campaigns and other attacks in order to penetrate the network.
“RDP access can also be less expensive for a threat actor than using anonymizing technology,” Mimoso and Rodeheffer wrote.
Many organizations leave RDP enabled by default, or don't set restrictions on which users can login via RDP. When machines can be found by scanning tools or services like Shodan, they are at risk, especially if the RDP port isn't protected with a strong password.
Modern versions of Windows let administrators set permissions, deny remote connections unless network authentication is used, and specify which accounts are allowed to login over RDP. Administrators should make sure strong passwords are set for RDP. If nothing else, changing the password to something other than “admin/administrator” will slow down brute-force attempts. Two-factor authentication should be enabled, especially for administrator-level accounts. Hiding the RDP instance behind a VPN would also ensure it isn’t exposed directly on the Internet.
Administrators should be aware of which machines have RDP enabled, and regularly monitoring the server logs for unusual access behavior, unexpected connection attempts, and unknown sessions will help identify when RDP is being abused.
“Despite heightened security measures, breaching networks and servers via RDP remains a major source of interest for the cybercriminal underground, with clear trends toward the automation of target detection and brute forcing,” Flashpoint said.
McAfee researchers found a number of RDP shops offering between 15 to more than 40,000 RDP connections for sale. Prices ranged from $3 for a simple configuration to $19 for a high-bandwidth system with administrator privileges, McAfee said. At one point, hacked servers from more than 170 countries could be found for sale on RDP-specific market xDedic, exposed in 2016, Flashpoint said.
“Poorly configured RDP instances are no match for these tools,” Mimoso and Rodeheffer wrote.