Skip to main content

How can firms use Remote Desktop Protocol without leaving the door open for cybercriminals?

(Image credit: Image Credit: Geralt / Pixabay)

From problems accessing emails to difficulty saving documents, few things derail the average working day faster than running into technical difficulties. In this digital age, issues like these can easily grind productivity to a halt, so it’s imperative that tech support is able to get things working again as soon as possible. 

Remote Desktop Protocol (RDP) has emerged as one of the most valuable tools for achieving this, enabling IT personnel to jump onto the offending machine and deal with the issue directly, rather than labouring through instructions over the phone or wasting time heading out for a site visit. As a result, IT engineers are now able to remotely support multiple organisations or branches from hundreds of miles away if needs be. 

But, like most tools, RDP can also be subverted for malicious purposes. In the wrong hands, RDP becomes a powerful weapon that enables a threat actor to bypass defences and launch a serious cyberattack. 

Remote desktops are a popular target for cybercriminals, with the FBI having warned that such activity “has been on the rise since mid-late 2016”. Recent research conducted by Vectra sought to quantify the threat, finding that nine out of ten organisations have experienced some form of malicious RDP behaviour.

The benefits and risks of RDP

Granting IT support personnel system access through RDP can provide powerful advantages in both cost and efficiency. RDP means that support teams can deal with a far greater number of incidents for the same cost, with one engineer easily shouldering a workload that would otherwise require an entire team. 

Research from Machine Design indicates that 60 to 70 per cent of machine issues can be resolved remotely through a system upgrade or changing settings, which means in most cases RDP can allow a technician to solve a problem by taking over for just a few minutes. 

There is also a significant cost saving to be made by enabling remote access, with industrial communications and IoT solutions supplier HMS Networks, estimating that engineer callouts can carry average costs of around US$2,200. 

However, RDP also has the potential to be co-opted to carry out a devastating cyberattack. Gaining access to RDP will enable a threat actor to fly under the radar and launch their attack almost completely undetected. 

Microsoft recently revealed four critical RDP vulnerabilities affecting Windows 7, Windows 8 and, the latest version, Windows 10, all of which can be executed without even requiring credentials. Even without vulnerabilities like these, it’s common to find that enterprises have failed to follow security best practice, leaving RDP access only nominally protected with extremely weak passwords. 

With most threat actors seeking the path of least resistance for accessing the network, it’s no surprise that poorly secured RDP tools are such a popular mark. There are a number of different ways RDP is being exploited by cybercriminals.  

How is RDP being exploited? 

In order to gain greater insight into how RDP is being exploited, we used our own platform to split the RDP detections into two main categories: RDP Recon and Suspicious Remote Desktop. 

RDP Recon indicates early stage attack behaviour detection, activated when repeated failed attempts to establish an RDP connection to a workload or host are detected. This is usually the result of the attacker trying out various common combinations of usernames and passwords in the hopes of their target using weak default credentials, or in order to identify active accounts. 

Meanwhile, Suspicious Remote Desktop detections are activated when unusual characteristics are detected following a successful RDP connection. A prevalent example would be when an RDP server that is usually set to English keyboard inputs is accessed by someone using French settings. While there are perfectly valid reasons for this kind of activity, such incidents should be taken as red flags that warrant immediate investigation. 

Which organisations are facing the biggest threat?

Vectra’s research found that organisations in different sectors were more likely to encounter different RDP activity. Government and education were the most likely to be hit with RDP Recon, while retail and insurance were most likely to experience Suspicious RDP detections. Notably, manufacturing was one of the top three most targeted sectors for both kinds of activity. 

In addition, small and medium businesses experienced a higher proportion of RDP detections than larger firms. Medium organisations experienced 6.9 RDP detections per 10,000 workloads or devices, small organisations had 6.5, while large businesses had 4.5. Smaller firms generally make for more popular targets as they are less likely to have the resources and budget for defences that will detect the subtle signs of RDP exploitation. Taking business sector and size together, the most RDP detections were seen in medium manufacturers, medium retailers and small financial institutions. 

How can the risk of RDP exploitation be reduced?

RDP has become an essential cornerstone in supporting modern business IT infrastructure, and few firms can afford to operate without it today. This means organisations must be able to balance the benefits of RDP against the risks, and mitigate the threat of exploitation by cyberattackers.

One of the most effective steps in reducing the risk profile of RDP is to ensure that access is restricted to essential users only and is safeguarded with strong authentication protocols. Each user should have their own unique set of credentials protected by robust passwords. 

While these measures will make it more difficult for attackers to hijack RDP, organisations should also be prepared for the worst-case scenario of an attacker successfully compromising their network using a remote session. To counter this threat, it is necessary to have the ability to automatically monitor, detect and respond to suspicious remote access behaviours. Crucially this must be done at both speed and scale, as every moment that a malicious intruder is loose in the system could have serious consequences, and skilled threat actors are adept at masking their presence within the complexity of the modern IT network. The moment suspicious activity is detected, security teams should be alerted and begin investigating to determine if the detection has a benign explanation or is indeed the work of an attacker infiltrating the network. 

Arming themselves with the ability to detect unusual behaviour in real time will enable organisations to minimise the threat of RDP being exploited by remote attackers, without compromising the crucial role RDP plays in keeping a digital business running smoothly.

Christopher Morales, Head of Security Analytics, Vectra

Christopher Morales is Head of Security Analytics at Vectra, where he advises and designs incident response and threat management programs for Fortune 500 enterprise clients.