FBI warns companies about hackers increasingly abusing RDP connections

Haythem Elmir

In a public service announcement published today by the US Federal Bureau of Investigation’s (FBI) Internet Crime Complaint Center (IC3), the FBI is warning companies about the dangers of leaving RDP endpoints exposed online.

RDP stands for the Remote Desktop Protocol, a proprietary technology developed by Microsoft in the 90s that allows a user to log into a remote computer and interact with its OS via a visual interface that includes mouse and keyboard input –hence the name « remote desktop. »

RDP access is rarely enabled on home computers, but it’s often turned on for workstations in enterprise networks or for computers located in remote locations, where system administrators need access to, but can’t get to in person.


In its alert, the FBI mentions that the number of computers with an RDP connection left accessible on the Internet has gone up since mid and late 2016.

This assertion from the FBI correlates with numbers and trends reported by cyber-security firms in the past few years. For example, just one company, Rapid7, reported seeing nine million devices with port 3389 (RDP) enabled on the Internet in early 2016, and that number rose to over 11 million by mid-to-late 2017.

Hackers, too, read cyber-security reports. Early warnings from the private sector about the increasing number of RDP endpoints caught hackers’ attention long before


For the past few years, there has been a constant stream of incident reports in which investigators found that hackers got an initial foothold on victims’ networks thanks via a computer with an exposed RDP connection.

Nowhere has this been more the case than in ransomware attacks. Over the past three years, there have been tens of ransomware families that were specifically designed to be deployed inside a network after attackers gained an initial foothold, which in many cases ended up being an RDP server.

Ransomware specifically designed to be deployed via RDP includes strains such as CryptON, LockCrypt, Scarabey, Horsuke, SynAck, Bit Paymer, RSAUtil, Xpan, Crysis, Samas (SamSam), LowLevel, DMA Locker, Apocalypse, Smrss32, Bucbi, Aura/BandarChor, ACCDFISA, and Globe.

Here’s just one user recounting one event on Reddit where hackers broke in via RDP and launched ransomware that encrypted countless of his systems.


There are three ways in which hackers usually tend to get in. The easiest way is when sysadmins enable RDP access on a server and don’t set up a password. Anyone accessing that computer’s IP address on port 3389 will be prompted by a login screen where they can log in just by pressing Enter.

The second way is derived from the first but requires on attackers either guessing login credentials (via a brute-force attack) or by using precompiled lists of common username-password combos (via dictionary attacks).

The third method also relies on mass-scanning the internet, but instead of guessing credentials, attackers deliver exploit code for known vulnerabilities in the RDP protocol. If the port is exposed, then hackers can exploit it.

According to Rapid7, between 2002 and late early 2017, there have been 20 Microsoft security updates specifically related to RDP, updates that fixed 24 major vulnerabilities. Patches for RDP continued even after Rapid7 stopped counting, with the latest of these fixes being deployed this March for a flaw in CredSSP, one of the smaller protocols part of the RDP package.


In an interview with ZDNet about the FBI’s alert, Mark Dufresne, VP, Threat Research and Prevention at cyber-security Endgame, shared some of his dealings with the RDP threat.

« RDP has been baked into Windows for a very long time and has been abused by attackers since it became widely deployed, » Dufresne told ZDNet.

« We can look at sources like greynoise.io to see that attackers are constantly looking for open RDP connections, » he added. « Almost a thousand unique IPs were looking for RDP services listening on the default port each day over the past week. »

Once attackers get in, it’s all fair game, unless they’re not careful and security products expose their presence.

But not all RDP compromises result in ransomware infections, data theft, or malicious behavior. Some of the people behind these RDP scans don’t always exploit the hacked systems –at least not directly– and stockpile hacked RDP endpoints to sell online.

Since mid-2016, just about when cyber-security firms were noting a rise in RDP servers, a group of hackers set up xDedic, a web portal where they and other criminals could sell or buy these hacked and hoarded RDP systems.

Initially, it was said that xDedic provided crooks access to over 70,000 hacked RDP endpoints, but one year later, despite the media attention and attempts to take down the site, xDedic’s RDP server pool had gone up to 85,000.



To read the original article:


Laisser un commentaire

Next Post

Cobalt threat group serves up SpicyOmelette in fresh bank attacks

Advanced persistent threat group (APT) the Cobalt Gang, also known as Gold Kingswood, is spreading SpicyOmelette malware in campaigns targeting financial institutions worldwide. In a world where cyberattacks against businesses and consumers alike are spreading and evolving in nature and sophistication, it is often financial institutions which bear the brunt. […]