Skip to main content

Defeating the Death Star: How RDP attacks exploit security gaps

(Image credit: Image source: Shutterstock/jijomathaidesigners)

Imagine you lived a long time ago, in a galaxy far, far away – and you had landed a prestigious job with the Empire. You have designed the most sophisticated space station ever constructed: capable of destroying planets and large enough to be mistaken for a small moon. The platform is central to your organisation’s operations, namely stamping out those rebel scum.

You devote plenty of time and man hours to keeping the Death Star secure and functional. But there’s one glaring flaw, a Thermal Exhaust Port. Although small, this vulnerability allows malicious actor Luke Skywalker to breach the system’s defences and wreak unimaginable destruction.

IT officers face a very similar threat from cybercriminals exploiting an often-neglected flaw to compromise a whole network. The modern business equivalent of the Thermal Exhaust Port is the Remote Desktop Protocol (RDP), which could be leaving companies vulnerable to catastrophic attack. This article will explain why RDP attacks are on the rise, the most disruptive malware that can be deployed and how organisations can effectively defend against attacks.

The risks of the RDP

The tool is widely employed to enable the use of another computer over a network connection and is particularly helpful for system administrators tackling IT issues. Employees can also use RDPs to work remotely, a functionality that’s increasingly valued, with 50 per cent of the UK workforce set to work remotely by 2020.

Remote Desktop Protocol might not on first appearance seem like the Rebel Alliance’s smoking gun – or rather, the cybercriminals’ avenue of choice. However, Remote Desktop Protocol connections rose to prominence as an attack vector back in 2016, and cybercriminals’ early successes have led to widespread adoption. In fact, our list of Nastiest Malware found that unsecured RDPs are the number one attack vector of 2018.

The fundamental issue is a lack of awareness. IT teams have often failed to appreciate the potential vulnerabilities of RDPs. Connections are set up without adequate protections, using default connections or easily guessable credentials. This then leaves the whole environment open to attack, with – unlike the Rebel attack – surprisingly little effort from cybercriminals.

Firing at the port

Cybercriminals can easily find and target vulnerable organisations by scanning for open RDP connections; tools and websites like are even available to automate this process. Once a business has been identified, hackers can penetrate defences using brute force tools. Using an application like DuBrute, criminals can try a whole range of common passwords in the hope of gaining access. Less skilled hackers can simply buy RDP access to computers that have already been hacked on the dark web - for around $10 a machine, it’s pretty cheap too.

Once a criminal has desktop access, they can inflict significant damage. Hackers can easily disable endpoint protection or leverage exploits to elevate permissions to ensure their malicious payloads will execute. It’s also possible to create new administrative accounts, so that even if the compromised user’s password is changed, they can gain access separately.

The vulnerability of the RDP vector has been highlighted by high profile attacks this year; the SamSam group shut down government sectors in Atlanta and Colorado, along with medical testing giant LabCorp, and has exploited millions in total from its victims. Once inside the system, criminals have a whole variety of payload options for inflicting damage and extracting profit from the victim.

The biggest threats

Coming in as the third nastiest payload on our list, ransomware is perhaps the most obvious payload for an RDP-enabled attack. After emerging five years ago, ransomware dominated global headlines in 2017 thanks to the infamous WannaCry attack. While the visibility of ransomware may have declined, this is because attacks have become more targeted, which is what makes RDP such a popular attack vector.

Using RDP, a criminal can browse all data on the system or shared drive before making a demand: in essence, casing the joint. The hacker can then identify the data that’s the most valuable and assess how large a ransom demand to make. The consequences can be financially devastating, as we’ve seen with the three nastiest ransomwares, Crysis/Dharma, GandCrab and SamSam.

Another payload growing in popularity is cryptomining, an easier, faster and in many ways less risky means of netting cryptocurrency from victims. Once inside, criminals can see all the hardware installed on a system to assess whether substantial GPU or CPU hardware is available. If so, then it can be used to mine cryptocurrencies like Monero or Ethereum without any action from the victim.

While cryptomining might appear to be ‘money from thin air’, the CPU usage does show up on victims’ electricity bill and can compromise machine performance. Plus there is always the risk that hackers will exploit their access to pursue other more aggressive tactics down the line. As a result, cryptomining has risen to the second nastiest payload on our list.

Plugging the exhaust port

The real issue underlying the RDP exploitation is a lack of awareness of the vulnerability amongst IT professionals. Many businesses leave default ports open, maintain lax password policies or fail to train employees on the phishing attacks that could compromise company credentials.

It’s relatively easy to plug the gap once it has been highlighted. Appropriate precautions include:

  • Avoiding common TCP ports
  • Setting a maximum number of attempts for entry
  • Setting very secure usernames and passwords (no pets’ names, please - use phrases)
  • Using paid encryption like VNC, TeamViewer or LogMeIn (best solution)
  • Restricting RDP to a limited whitelist
  • Train employees on the risks and likely methods of cybercriminals

Unlike the Thermal Exhaust Port, Remote Desktop Protocols offer a very low barrier to entry for many cybercriminals – and as such offer a tempting and lucrative vector for attack. Until this is addressed, we’re likely to see more and more criminals taking advantage of the RDP vulnerability. But with the right education and sensible precautions, you can defend your business against the real bad guys. Because no one wants to be the engineer who led to the destruction of the Death Star.

Tyler Moffitt, Security Threat Research Analyst, Webroot
Image source: Shutterstock/jijomathaidesigners

Tyler Moffitt
Tyler Moffitt is a Senior Threat Research Analyst with Webroot, Inc. A key member of the Threat Research team, immersed deep within the world of malware and antimalware. He works directly with malware samples, creating antimalware intelligence, and testing in-house tools.