Hackers Exploit Remote Desktop Protocol

The FBI has issued a warning about a major vulnerability in Windows-based computers, potentially allowing cybercriminals to take control of computers via the Remote Desktop Protocol.  Once remote control has been achieved, these criminals have the potential to deal substantial damage to the system and the surrounding network environment if left unchecked.

What is Remote Desktop Protocol?

In short, Microsoft’s Remote Desktop Protocol (RDP) allows a user to access a system from anywhere else on the network.  This remote user will be able to see the target system’s desktop, and access files and perform commands as if they were physically present on the system itself.  This provides a number of advantages in today’s creative environment:

  • Artists may work from home and connect to your facility’s systems over the internet

  • Render farms are often managed via one system connecting remotely to individual nodes via the local network

  • Your friendly neighborhood IT team may provide remote support

When confined to a local network, RDP poses little threat to your business’ data; a criminal would still somehow have to gain access to your facility’s network in order to wreak havoc.  However, if improperly secured, systems with RDP enabled can be left open to the Internet, which can serve as a major security vulnerability.

Threats Detected

Once a criminal has gained access to an RDP-enabled system, they are free to control that system with any permissions and privileges associated with the compromised login credentials.  This includes downloading, installing, and running software, allowing a criminal to inject any sort of malware or ransomware they wish.

Furthermore, these intrusions do not require any user input (unlike phishing attempts, which require the user to click or download the malware), making them especially difficult to detect.

There have already been a number of threats based on this exploit:

CrySiS Ransomware: CrySIS ransomware primarily targets US businesses through open RDP ports, using both brute-force and dictionary attacks to gain unauthorized remote access. CrySiS then drops its ransomware onto the device and executes it. The threat actors demand payment in Bitcoin in exchange for a decryption key.

CryptON Ransomware: CryptON ransomware utilizes brute-force attacks to gain access to RDP sessions, then allows a threat actor to manually execute malicious programs on the compromised machine. Cyber actors typically request Bitcoin in exchange for decryption directions.

Samsam Ransomware: Samsam ransomware uses a wide range of exploits, including ones attacking RDP-enabled machines, to perform brute-force attacks. In July 2018, Samsam threat actors used a brute-force attack on RDP login credentials to infiltrate a healthcare company. The ransomware was able to encrypt thousands of machines before detection.

Dark Web Exchange: Threat actors buy and sell stolen RDP login credentials on the Dark Web. The value of credentials is determined by the location of the compromised machine, software utilized in the session, and any additional attributes that increase the usability of the stolen resources.

How to Protect Your Business

According to the FBI report, the biggest vulnerabilities that have opened up RDP-enabled systems to attack are:

Weak Passwords:  Any password using only a normal, in-the-dictionary word, without a mix of upper- and lower-case letters, numbers, and/or special characters, is vulnerable to brute-force or ‘dictionary’ attacks.  These attacks will simply try words from the dictionary one by one until they stumble upon the right one.

Outdated Versions of RDP:  Older versions of RDP use a compromised CredSSP encryption mechanism that hackers can use to intercept and modify information going to-and-from the remote system (referred to as a ‘man-in-the-middle’ attack).

Unrestricted Access to the Default RDP port (TCP 3389):  TCP 3389 is the port RDP uses for its communications, so leaving this port unsecured and open to the internet (most commonly done via port-forwarding) can give bad actors the access they need.

Allowing unlimited login attempts to a user account:  Related to the brute-force and dictionary attacks mentioned above, these attacks succeed because they’re allowed to try thousands of login attempts as they fish for the correct password.

This all may sound intimidating, but fortunately, the steps to take to secure your facility’s remote systems are similar to those guarding against other hacking attempts and malware.  If you’re already implementing good system security across your studio, chances are you’ve taken at least some of the recommended steps:

  • Enable strong passwords and account lockout policies to defend against brute-force attacks.

  • Apply system and software updates regularly.

  • Apply two-factor authentication, where possible.

  • Maintain a good back-up strategy.

  • Disable RDP on systems that do not require remote access.

  • Place systems with open RDP ports behind a firewall and require users to use a Virtual Private Network (VPN) to access your local network.

  • Enforce your company’s data access policies on any third parties that require RDP access.

  • Enable logging to capture RDP logins.  Keep these for at least 90 days and regularly review them to detect any unusual connection attempts.

By following common best practices for maintaining network security, you can confidently utilize RDP at your facility while minimizing the risk your data will be compromised.

If you have any questions about RDP and maintaining the security of your studio’s infrastructure, reach out to Nodal!  For more information on this topic, check out Small Business Trends’ article covering the FBI announcement.