Some ransomware groups have heavily relied on compromised RDP endpoints to target organizations. Read on to know more about it…
For connecting to remote systems, Remote Desktop Protocol (RDP) is one of the most preeminent technologies used today. There are millions of systems with RDP ports exposed online, which makes RDP a massive attack vector among ransomware operators.
RDP – Most Common Intrusion
Reports from Coveware, Emsisoft, and Recorded Future clearly put RDP as the most popular intrusion vector and the source of most ransomware incidents in 2020.
Statistics from Coveware, a company that provides ransomware incident response and ransom negotiation services, also sustain this assessment; with the company firmly ranking RDP as the most popular entry point for the ransomware incidents it investigated this year.
According to Recorded Future, RDP is the most common intrusion method used by threat actors — to gain access to Windows computers and install malware — for most ransomware attacks in 2020. Cybercriminals scan the internet for RDP endpoints and then conduct brute-force attacks against several systems, trying to crack user credentials. Systems using weak usernames and passwords are impacted and put up for sale on RDP shops — websites where access to hacked systems is sold to attackers.
Working Mechanism
Though RDP can be exploited in several ways, attackers are mostly found relying on already exposed RDP systems. At first, they use open source port-scanning tools to scan for exposed RDP ports online and then try gaining access to a system using brute-force tools or stolen credentials purchased from black markets. Once the attackers gain access to the target system, they make the network vulnerable by deleting backups, disabling antivirus software, or changing configuration settings. After disabling the security systems and making the network vulnerable, attackers deliver malware payloads. The process involves installing ransomware, using infected machines to distribute spam, deploying keyloggers, or installing backdoors to be used for future attacks.
Recent RDP Attacks
Researchers at Group-IB have identified Iran-based low-skilled hackers that find victims by scanning IP addresses on the internet for exposed RDP connections. These hackers were found deploying Dharma ransomware to target companies in China, Russia, Japan, and India.
Recently, Nuspire spotted an attacker, dubbed TrueFighter, that has resurfaced and is known to steal RDP credentials or access and then sell them on the dark web. Active in various underground communities, TrueFighter specializes in selling compromised RDP accounts that provide remote administrative access to the networks of victim organizations.
Concluding Points
Even if all the safety guidelines are followed, there might remain weaknesses in RDP that can be exploited. No organization wants to introduce such weaknesses into their network if there is no actual need for them. The aftermath could be devastating without an effective backup strategy. It is advisable to always be on the lookout for such potential threats that could be used to infiltrate an organization’s network.