The Internet Crime Complaint Center (IC3) released a public service announcement at the end of September 2018, alerting companies about the risks of allowing RDP endpoints to be exposed online. The IC3, a division of The US Federal Bureau of Investigations (FBI), is sending out the alarm to U.S. businesses about their concerns that millions of RDP endpoints are visible online and susceptible to manipulation.
What is RDP?
RDP (Remote Desktop Protocol) is a Microsoft registered technology created in the 90s that permits a user to log into a remote computer and interact with its OS through a visual interface that gives the remote user access to its mouse and keyboard input. The remote desktop was designed for a computer technician to be able to help a customer who had limited or remote access.
RDP access is hardly ever enabled on home computers, but sometimes it is turned on for workplaces in enterprise networks or for computers situated in distant locations. RDP conveniently allows system administrators to access the computer, without physically having the computer in front of them.
Why is IC3 Concerned?
In its September press release, the FBI states that the number of computers with an RDP connection left open on the Internet has gone up dramatically since 2016. IC3 is observing numbers and trends by cyber-security firms in the past few years that are alarming.
ZDNet reported that Rapid7, a multi-product analytics and automation company, has seen nine million devices with port 3389 (RDP) opened on the Internet in early 2016, and then suddenly rose to over 11 million by the end of 2017.
Also, IC3 is seeing a steady stream of incident reports where hackers have acquired initial traction into victims’ networks through the computers with an open RDP connection.
The Rise of Ransomware Attacks
Over the past three years, a cluster of ransomware families were particularly designed to access a network by hackers who jumped in through an open RDP server.
Ransomware particularly designed to be infiltrated via RDP involves strains such as LockCrypt, Horsuke, CryptON, SynAck, Scarabey, Bit Paymer, Xpan, RSAUtil , Crysis, Samas (SamSam), Globe, DMA Locker, Apocalypse, LowLevel, Bucbi, Aura/BandarChor, Smrss32 and ACCDFISA.
How Do Companies Secure Themselves Before It’s Too Late?
IC3 has collaborated with the Department of Homeland Security (DHS) and published a report for companies to use to ensure RDP security.
Six Ways to Improve the Security of Network Infrastructure Devices
The National Cybersecurity and Communications Integration Center (NCCIC) has published six security measures for companies to ensure safety for their network.
Security engineers should study the overall layout of their framework, which includes both segregation and segmentation. A successful security tool for accurate network segmentation is to stop a hacker from spreading abuses or the ability to laterally move through an internal network. If the network is inadequately segmented, intruders can easily spread their control of analytical devices as well as obtain entrance into sensitive data. A securely segregated network can restrict malicious incidences and reduce the effect that intruders can have if they gain a foothold inside the network.
Permitting unprotected communications between colleagues involving a workstation-to-workstation situation sets up grave weaknesses. This can permit a network hacker easy access to spread their attack to multiple systems. Once penetrated, the attacker can create backdoor manipulation throughout the network. When a hacker has backdoor access, they have an easier time of maintaining their presence inside the network and keeping users from removing the intruder.
A basic way to boost a company’s network infrastructure security is to protect networking devices with secure designs. The best practice for a company is to implement the recommendations that government agencies, organizations, and vendors resource. Their guidance allows a business to be safe and stay within site security policies, and industry practices.
A company can give administrative freedom to allow specific users access to data and resources that are not broadly obtainable by the general public or all employees. Limiting these administrative privileges for infrastructure tools is vital for security because hackers will infiltrate administrative privileges that are inadequately approved.
Ways to secure access for infrastructure devices include having a multi-factor authentication process to confirm a user’s identity and closely monitor and manage the user’s access.
Out-of-Band (OoB) management incorporates different contact paths that remotely manage your network infrastructure devices. These devoted communication paths can differ in configuration to involve areas such as physical separation and virtual tunneling. In applying for OoB access, it will strengthen your security by restricting access and dividing user traffic from the network management traffic.
Products purchased and downloaded through unauthorized channels are more than likely a reproduction or inferior in their use. Several media outlets have reported the use of grey market hardware and software in the workplace. Unlawful hardware and software cause the users’ information to be at risk. Because they have not been carefully tested to meet superior standards, grey market products can present risks to the network. These risks can lead to breaches in the supply chain and allow opportunities for malicious software and hardware to be installed unbeknownst to the user. Compromised hardware and software can affect the network and give away the confidential and valuable information. Companies should regularly check the integrity of software.