Cyber Attacks using RDP (Remote Desktop Protocol) are not new but they are on the rise. When you review why and what RDP was first developed for and then how it is being used, it is no wonder cyber criminals are using it in a cyber-attack.
First a quick refresher on RDP:
RDP is software that functions as a terminal service client device. It is for client to server session communication. It uses port 3389 and provides 64,000 separate channels for Data transmission. IT support network topologies such as ISDN, Pots, and LAN Protocols including IPX, NetBIOS and TCP/IP (Transmission Control Protocol/Internet Protocol). You can separate virtual channels for:
- Carrying Presentation
- Serial device communication
- Maps user clipboard, local drives, local ports, printing & encryption
- Licensing information
- Highly encrypted data including keyboard and mouse activity
- Supports Multipoint sessions
- Multi-Port delivery allows data from an application to be delivered in real Time to multi parties without having to send the same data to each session individually.
- Web designer use it for getting rid of load shedding and power loss
- RDP is used by Bloggers, encoders, uploaders and Torrent ie YouTube
- Runs 1 Gig internal and up to 646 Gb max
- RDP credentials have been stolen and placed on the DarkWeb (TOR) for sale
So when you look at the characteristics it is clear that criminals can use it as well.
Keep in mind, cyber-attacks are a process. The following cyber-attacks that use RDP are good examples.
- Attackers are using RDP Ports to take over machines or intercept RDP session as well as injecting various types of Malware into the system being remotely accessed.
- Compiler with RDP software on board are becoming victimized when activated using brute force to gain credentials ie username & passwords.
- SamSam Ransomware (Used Brute Force attacks along with other methods such as phishing attacks to gain entry into a computer)
- Crypton (Used Brute Force to gain access to RDP session & then threat actor manually executes malicious programs)
- CrySIS Ransomware (Used on computers with open RDP ports then Brute Force and dictionary attacks to gain unauthorized access)
Here is how one vendor called Barrier1 identifies and stops RDP-types of cyber attacks:
- RDP is a sensor onboard on every Barrier1
- Through Analytics stack (AARE engine) Barrier1 learns and uses behavior of RDP, Port numbers, activity to either allow or block
- Barrier1 identifies Brute Force attacks all types and learns and remember them. The attributes are added to the onboard dbase and used by the Deep Learning analytics
- All done in sub second time
Part of building an effective security stack of defence is to first understand how hackers conduct cyber-attacks. With this playbook in mind, set out to build your security stack to combat these attacks. The more that you understand what and how cyber attacks happen, the better you will be able to protect your company.