Back To The Blog

RDP Exploits & Ransomware - A Cyber Criminal's Favorite Attack

Cybersecurity Ransomware/Malware / February 07 , 2022

3 Key Takeaways About RDP Security and Vulnerabilities

  • Remote desktop protocol (RDP) is great for troubleshooting computer user problems, but cyber criminals can easily exploit it to distribute ransomware.
  • COVID has exponentially increased network security problems because so many employees are working from home, unknowingly exposing RDP entry points to threat actors.
  • The best way to stop cyber criminals from accessing networks is to layer security measures around a virtual private network (VPN) secured with multi-factor authentication.

It’s no secret cybersecurity professionals spend a lot of time playing catch-up to close digital vulnerabilities to would-be attackers. RDP ransomware attack remains one of the most effective, widespread attack methods. A business is targeted approximately every 11 seconds.

These attacks can lead to monetary extortion, data loss, service downtime, and the destruction of hard-earned public trust.

Cyber criminals consistently favor exploiting RDP to propagate ransomware. To better understand RDP security concerns, risks, and safety measures, we recently sat down with leading cyber incident response forensic expert and TracePoint CEO Chris Salsberry.

What Does RDP Mean? And What Does It Do?

RDP stands for Remote Desk Protocol. RDP is a function Microsoft has built into its operating systems since the 1990s. It enables remote access to a PC or server and all of its tools, files, and software.

It is intended for IT support personnel to use to remotely access machines while troubleshooting and resolving operability issues. Staff working remotely also use the RDP function to access internal networks and work environments.

RDP is a Windows-only feature. It must be enabled on the remote server or PC in order to work. Remotely controlling a machine, a user can, among other tasks:

  • Install programs
  • Alter, delete, or extract data
  • Activate or disable settings

While these capabilities are extremely useful in certain scenarios, they also introduce vulnerabilities allowing criminals to take over machines and attack enterprise networks.

How Does a Cyber Criminal Exploit RDP Vulnerabilities and Gain Access to an Open Port?

As Mr. Salsberry explained during our discussion, unauthorized users gaining access to a machine via an unsecured RDP port is equivalent to them owning the machine. They are free to make any changes they like.

A threat actor can use various methods to gain access to an unsecured RDP port left open on the public internet. Among both the cybersecurity and hacker communities, it’s common knowledge UDP and TCP ports 3389 are RDP’s default listening ports. They’re the first places an attacker would look for vulnerabilities.

However, as Mr. Salsberry pointed out, simply changing the default ports offers little protection. Threat actors can scan each IP address’s entire port range to find and exploit unsecured ports.

Once they identify an opening, cybercriminals can use brute force and dictionary tactics to gain access to the machine and the network to which it’s connected. Bad actors may directly attack enterprise local area networks (LAN) to gain access to a server, or may attack an employee’s individual machine and then the network.

Once they gain access to the corporate network, attackers can push out ransomware to any connected computer.

Find out how to respond to ransomware attacks.

How Have COVID-19 Remote Work Scenarios Increased Cyber Risk?

The COVID-19 global health crisis has brought greater cybersecurity risks.

Government lockdowns affected 2.7 billion people around the world, according to Deloitte. In May 2020, 63% of the American workforce was working from home. Organizations have quickly pivoted to operate remotely, but the secure network environments and security practices used in office environments have been slower to keep up.

Many more workers now use RDP to remotely access their in-office work environment from unsecured home networks. Cyber criminals are taking advantage through increased RDP ransomware attacks.

Incoming cyber threats increased sixfold in the global pandemic’s first month, according to Info Security Magazine. In April and May of 2020, attempted brute force attacks rose to 100,000 per day, up from 40,000 during December 2019 through February 2020.

Organizations must take proactive security measures to fend off this growing number of incoming threats. This includes developing an easily accessible incident response plan for senior management, like Breach Plan Connect.

Safely Deploy Your RDP And Secure Your Work Environments

Male IT security team member sits at desk using computer monitor to check for RDP vulnerabilities.

According to Mr. Salsberry, the best way to deny criminals unauthorized access to enterprise networks is to not leave RDP ports open on the public internet. Instead:

  • Use a company-supplied virtual private network (VPN) to access any business systems, including the RDP.
  • Secure access to enterprise IT environments through the VPN with multi-factor authentication.
  • Activate the RDP itself using further independent authentication measures.

Additional security measures to proactively detect and prevent incoming threats include:

  • Having a security incident management system.
  • Using the Syslog monitoring solution to identify irregular logins.
  • Installing password-protected endpoint security software on devices.
  • Disabling RDPs not in use and closing port 3389.
  • Updating and patching all software and operating systems.
  • Training employees on best cybersecurity practices.

The Best RDP Security Practices are Multi-layered to be Most Effective

During times of increased risk from RDP ransomware attacks, it’s all the more important to stay vigilant about incoming threats from cyber criminals and protect business continuity.

From training employees on basic cybersecurity practices to enabling access to enterprise networks through multi-factor VPNs only, taking a multi-layered approach to RDP security concerns is the best way to fend off cyber attacks. Address vulnerabilities that may allow cyber criminals to remotely control machines and gain a foothold for attacking enterprise networks.

To learn more about bolstering your organization’s cybersecurity with an incident response plan, contact NetDiligence today.


Mark Greisiger

Mark Greisiger

Tags

Related Blog Posts

Download 2021 Cyber Claims Study

The annual NetDiligence® Cyber Claims Study uses actual cyber insurance reported claims to illuminate the real costs of incidents from an insurer’s perspective.

Download

© 2022 NetDiligence All Rights Reserved.