LONDON—A new report indicates that hackers are exploiting weak remote desktop protocol credentials.
Many enterprises use remote desktop protocol (RDP) to remotely administer their PCs and mobile devices.
But security experts warn that weak RDP credentials are in wide circulation on darknet marketplaces and increasingly used by ransomware attackers, Bank Info Security said.
Opportunistic attacks against RDP server and endpoint credentials "have been around for many, many years," Paul Pratley, head of investigations and incident response at MWR InfoSecurity in London, told Bank Info Security. Attackers now often use botnets to automatically search out Internet-connected devices with exposed RDP ports and them hammer them with brute-force username and password guesses until their attack tools find a match, he says. Many RDP credential harvesters will then sell this access to others.
Stolen RDP credentials "used to be used to distribute things like DDoS (distributed denial-of-service) malware and bitcoin mining malware" inside enterprises, Pratley told Bank Info Security. Since late 2015, however, ransomware attackers have been increasingly using RDP, he pointed out.
“The enduring appeal of poorly secured RDP is easy to understand. The proprietary protocol developed by Microsoft provides graphical access to a client from a server via encrypted TCP traffic. Clients for RDP are available for most versions of Microsoft Windows, as well as Linux, Unix, macOS, iOS, Android and other operating systems. By default, an RDP server listens on TCP port 3389 and UDP port 3389,” Bank Info Security said.
Poorly secured RDP gives hackers a potential entry point into enterprise networks, Bank Info Security said.
"Once a hacker secures login credentials for RDP access, he or she effectively owns the system where the RDP server is installed," stated Vitali Kremez, a cybercrime intelligence analyst for threat intelligence firm Flashpoint, in the Bank Info Security report. "In addition to being able to launch external attacks and move laterally within networks, attackers are then able to plant malicious software, exfiltrate data and/or manipulate network settings."