Pierluigi Paganini September 30, 2018

The FBI Internet Crime Complaint Center (IC3) warns of cyber attacks exploiting Remote Desktop Protocol (RDP) vulnerabilities.

Remote Desktop Protocol (RDP) is a widely adopted protocol for remote administration, but it could dramatically enlarge the attack surface if it isn’t properly managed.

The FBI Internet Crime Complaint Center (IC3) and the DHS issued a joint alert to highlight the rise of RDP as an attack vector.

Attackers are exploiting this feature to access systems to deploy malware such as the SamSam ransomware.

“Malicious cyber actors have developed methods of identifying and exploiting vulnerable RDP sessions over the Internet to compromise identities, steal login credentials, and ransom other sensitive information.” reads the alert issued by IC3.

“The Federal Bureau of Investigation (FBI) and Department of Homeland Security (DHS) recommend businesses and private citizens review and understand what remote accesses their networks allow and take steps to reduce the likelihood of compromise, which may include disabling RDP if it is not needed.”

Attackers can “infiltrate the connection” between the local and the remote machines and inject malware into the remote system. Experts warn that attacks using the Remote Desktop Protocol do not require user input, this makes intrusions difficult to detect.

The IC3 warns of the following vulnerabilities:

• Weak passwords
• Outdated versions of RDP may use flawed CredSSP that opens to man-in-the-middle attack.
• Allowing unrestricted access to the default Remote Desktop Protocol port (TCP 3389).
• Allowing unlimited login attempts to a user account.

The alert includes the audit of network for systems using RDP for remote communication, limiting the use of the Remote Desktop Protocol, keeping systems up to date, and implements multi-factor authentication wherever possible.

Pierluigi Paganini

(Security Affairs – IC3, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]