|Back to Back Issues Page|
Watch For Scams Newsletter. Remote desktop protocol
October 09, 2018
Remote Desktop Protocol
Watch For Scams is dedicated to helping you avoid becoming a victim of fraud.
If you like this ezine, do a friend a big favor and forward this to them. If a friend forwarded this to you, and if you like what you read, please subscribe by visiting the link below:
Remote Desktop ProtocolRemote Desktop Protocol (RDP) is a proprietary network protocol that allows an individual to control the resources and data of a computer over the Internet. This protocol provides complete control over the desktop of a remote machine by transmitting input such as mouse movements and keystrokes and sending back a graphical user interface. In order for a remote desktop connection to be established, the local and remote machines need to authenticate via a username and password. Scammers can infiltrate the connection between the machines and inject malware or ransomware into the remote system. Attacks using the RDP protocol do not require user input, making intrusions difficult to detect.
1. Weak passwords – passwords using dictionary words or do not include a mixture of uppercase/lowercase letters, numbers, and special characters – are vulnerable to brute-force attacks and dictionary attacks.
2. Outdated versions of RDP may use flawed CredSSP, the encryption mechanism, thus enabling a potential man-in-the-middle attack.
3. Allowing unrestricted access to the default RDP port (TCP 3389).
4. Allowing unlimited login attempts to a user account.
EXAMPLES OF THREATS
CrySiS Ransomware: CrySIS ransomware primarily targets businesses through open RDP ports, using both brute-force and dictionary attacks to gain unauthorized remote access. CrySiS then drops its ransomware onto the device and executes it. The scammers demand payment in Bitcoin in exchange for a decryption key.
CryptON Ransomware: CryptON ransomware utilizes brute-force attacks to gain access to RDP sessions, then allows a scammer to manually execute malicious programs on the compromised machine. Scammers typically request Bitcoin in exchange for decryption directions.
Samsam Ransomware: Samsam ransomware uses a wide range of exploits, including ones attacking RDP-enabled machines, to perform brute-force attacks. In July 2018, Samsam scammers used a brute-force attack on RDP login credentials to infiltrate a healthcare company. The ransomware was able to encrypt thousands of machines before detection.
Dark Web Exchange: Scammers buy and sell stolen RDP login credentials on the Dark Web. The value of credentials is determined by the location of the compromised machine, software utilized in the session, and any additional attributes that increase the usability of the stolen resources.
SUGGESTIONS FOR PROTECTION
The use of RDP creates risk. Because RDP has the ability to remotely control a system entirely, usage should be closely regulated, monitored, and controlled. The following are best practices to protect against RDP-based attacks:
1. Audit your network for systems using RDP for remote communication. Disable the service if unneeded or install available patches. Users may need to work with their technology vendors to confirm that patches will not affect system processes.
2. Verify all cloud-based virtual machine instances with a public IP do not have open RDP ports, specifically port 3389, unless there is a valid business reason to do so. Place any system with an open RDP port behind a firewall and require users to use a Virtual Private Network (VPN) to access it through the firewall.
3. Enable strong passwords and account lockout policies to defend against brute-force attacks.
4. Apply two-factor authentication, where possible.
5. Apply system and software updates regularly.
6. Maintain a good back-up strategy.
7. Enable logging and ensure logging mechanisms capture RDP logins. Keep logs for a minimum of 90 days and review them regularly to detect intrusion attempts.
8. Ensure third parties that require RDP access are required to follow internal policies on remote access.
If you believe you have been a victim of this type of scam you should promptly report it to the IC3's website at www.IC3.gov. The IC3's complaint database links complaints together to refer them to the appropriate law enforcement agency for case consideration.
Remember - always watch for scams!
|Back to Back Issues Page|