Microsoft’s Remote Desktop Protocol (RDP), a popular tool among IT system administrators, is an increasingly attractive method of attack that allows cybercriminals to remain undetected, according to cybersecurity firm Vectra.
RDP, which has been around since 1996, is used by IT system administrators to control and manage remote computers.
However, when these tools are misconfigured, malicious hackers can use them to perform reconnaissance, move around the network undetected, before exfiltrating data or delivering a harmful payload.
Between January and June this year Vectra, which uses artificial intelligence to spot suspicious activity on a network, detected 26,800 “suspicious” RDP behaviours among its customers, spread across more than 350 deployments.
According to Vectra, 90% of these organisations showed signs that RDP was being used as an attack method.
“Things like Remote Desktop are so prevalent, and it’s pervasive across industry,” said Chris Morales, head of security analytics at Vectra. “It’s a file-less attack. They’re no longer using malware, they’re no longer doing things that can be discovered. They’re now using backend administrative systems that clearly exist everywhere.”
Because the attack method exploits a legitimate administrative tool, it makes detection more difficult. Or, as Morales puts it: “They’ve managed to reduce the noise of lateral movement from what it used to be.”
RDP: The ransomware risk
Morales added that the exploitation of administrative management tools could be at paly in the current spate of ransomware attacks in the US, in which local governments, such as Texas, have been crippled.
“The whole thesis I have is that ransomware works because attackers have pivoted to using administrative management tools that exist everywhere,” Morales told Verdict. “And they now know how to tap into that.”
Cybercriminals can use freely available tools to scan for devices that have RDP exploits and then execute the attack, he explained.
One previously documented RDP exploit is BlueKeep, which was first documented in May this year by the UK’s National Cyber Security Centre. Microsoft has since released patches to mitigate against BlueKeep.
Organisations most targeted
The most RDP detections were observed among manufacturing and finance organisations. Following them was retail, government and healthcare.
Manufacturing, finance and insurance, and retail accounted for just under half of all RDP detections.
Organisations can defend against RDP attacks by limiting access to remote desktop management and making sure that only those who really need access to it have it. In addition, they can use strong authentication and monitor for suspicious behaviour.
The findings, published in the Vectra 2019 Spotlight Report on RDP, were based on an analysis of Vectra’s data from in the 2019 Black Hat Edition of the Attacker Behaviour Industry Report.