Threat actors put various cloud “tools” — resources like account information and application access — for sale on dark web markets that provide access for conducting follow-up attacks. But none of those utilities compare in popularity to Remote Desktop Protocol (RDP) accounts. They represent more than 70% of cloud resources available for sale on underground web marketplaces, according to a recent analysis. As such, RDP accounts are more pervasive on the dark web than regular cloud accounts.

These findings raise the following questions: How did we get here? What’s at stake for those at risk?

2020’s Remote Work Shift Created an Opening

Many companies opted to transition their employees to a work-from-home model during 2020. Their interest in RDP grew in the process. Arctic Wolf observed that IT and security teams’ interest in using RDP to manage employees’ remote laptops increased 62% between March and April of 2020, for instance. RDP gave that personnel a way to troubleshoot and provide device support in spite of having rapidly shifted to a new model of work. In the process, the technology helped countless companies continue to drive their business priorities forward.

The problem is that there are multiple security issues with RDP. In 2020, internet-connected device search engine Shodan noted that the number of devices exposing RDP to the web had grown between February and March of that year. That’s not the first time exposed RDP instances grew. They followed this same behavior after Microsoft published its bulletin on BlueKeep (CVE-2019-0708), an RDP vulnerability that requires no user interaction and occurs prior to authentication, back in May 2019. It was several months later when Bleeping Computer wrote that digital attackers were using BlueKeep to infect vulnerable Windows machines with Monero cryptominers. That said, the opposite occurred in August 2019 after a series of RDP issues collectively known as “DejaBlue” made the news.

As of November 2020, 245,000 Windows systems were still vulnerable to attacks leveraging BlueKeep. That’s approximately a quarter of the 950,000 systems first discovered to be vulnerable to the security issue, as ZDNet wrote at the time.

What’s at Stake for Companies

Many security teams take a set-it-and-forget-it posture with RDP by leaving it exposed on a common port that’s open to the Internet. Malicious actors abuse this by searching for vulnerable machines online. They don’t do so manually. On the contrary, the Cybersecurity and Infrastructure Security Agency (CISA) noted that attackers commonly turn to tools like Shodan to discover potentially vulnerable RDP accounts. Those attackers can then go after the vulnerable machines and use them to gain remote access to their target’s network. From there, it’s simple to hijack accounts, move laterally and steal sensitive information.

Along those same lines, digital attackers can use exposed RDP instances to deploy ransomware. In fact, RDP is the most common delivery vector for these threat actors, ZDNet reported. Back in August 2020, for example, three separate security firms determined RDP to be the most pervasive intrusion vector and source of ransomware attacks in 2020. Ransomware actors began turning toward RDP and away from other common delivery vectors like email when they embraced “big game hunting” in 2018. That methodology de-emphasized attacks against individual users and highlighted efforts to encrypt the information of large enterprises.

Such ease of use for attackers explains why the security community witnessed a surge of interest among malicious actors for RDP connections in early 2020. According to PR Newswire, attackers’ interest in RDP servers grew 30% in March of that year. It’s no wonder then that Infosecurity Magazine documented a 768% increase in RDP attacks between the first and final quarters of 2020.

Best Practices for RDP Security

The findings discussed above highlight the need for organizations to secure their RDP instances. A big part of this involves using vulnerability management to address security gaps like BlueKeep that continue to affect this protocol. Toward that end, security teams need to establish an inventory of all their hardware and software assets including Windows machines with RDP exposed. If they don’t, they could fail to account for all the RDP instances that are running in their environment. Such oversight would prevent IT and security teams from developing a complete picture of the digital threats facing their team. Without that visibility, they can’t prioritize known vulnerabilities, and they can’t develop a patching schedule that takes all those different risks into account.

Security teams then need to follow best practices to defend their machines with RDP connections. After they’ve allowed RDP access on the Windows firewall, infosec personnel need to think carefully before opting to broaden access beyond the local area network and making it accessible via the web. If they choose to open up an RDP instance to the internet, they should specifically think about not keeping the RDP to 3389, the protocol’s default port. Malicious actors are familiar with this port, and they have crafted their attacks around using it to infiltrate a targeted organization’s network. With that said, security teams can consider changing the default port to something lesser-known.

But that’s only security through obscurity. It’s making it more difficult for port scanners to arrive upon an exposed RDP instance, for instance. It won’t necessarily prevent discovery, and it certainly won’t prevent a compromise. Acknowledging that, infosec personnel can take additional steps to defend against potential hacking attempts. They can do so by changing the password used for RDP access to something strong, complex and unique. In particular, they can change that password to something besides “administrator”, “admin” or any of the other common passwords used with 1.3 million hacked RDP servers, as explained by Bleeping Computer in April 2021. When coupled with multifactor authentication (MFA), security teams can use this step to prevent threat actors from gaining access to RDP instances using brute-force techniques and other automated attack attempts.

Finally, infosec personnel needs to consider whether it’s necessary to have RDP enabled on their systems. This process might involve disabling RDP on some machines while leaving it open on others. It might also involve turning to another remote access solution entirely. Either way, security teams can help reduce their organization’s attack surface by disabling services they don’t need.

More from Incident Response

How the Mac OS X Trojan Flashback Changed Cybersecurity

Not so long ago, the Mac was thought to be impervious to viruses. In fact, Apple once stated on its website that "it doesn't get PC viruses". But that was before the Mac OS X Trojan Flashback malware appeared in 2012. Since then, Mac and iPhone security issues have changed dramatically — and so has the security of the entire world. In this post, we'll revisit how the Flashback incident unfolded and how it changed the security landscape forever. What…

What Hurricane Preparedness Can Teach Us About Ransomware

Each year between June and November, many parts of the U.S. become potential targets for hurricanes. In October 2022, we had Hurricane Ian devastate Florida. To prepare for natural disasters like hurricanes, organizations are encouraged to build out and test business continuity, disaster recovery, and crisis management plans to use in the response efforts. Millions of dollars each year are spent on natural disaster preparation, but natural disasters are not the only disruption businesses face. While we can’t equate the…

Charles Henderson’s Cybersecurity Awareness Month Content Roundup

In some parts of the world during October, we have Halloween, which conjures the specter of imagined monsters lurking in the dark. Simultaneously, October is Cybersecurity Awareness Month, which evokes the specter of threats lurking behind our screens. Bombarded with horror stories about data breaches, ransomware, and malware, everyone’s suddenly in the latest cybersecurity trends and data, and the intricacies of their organization’s incident response plan. What does all this fear and uncertainty stem from? It’s the unknowns. Who might…

A Day in the Life: Working in Cyber Incident Response

As a cybersecurity incident responder, your life can go from zero to 100 in a heartbeat. One moment you are sipping a beverage reading the latest threat intelligence or getting the kids ready for bed; the next, you may be lunging for your "go bag" because you cannot remote in to the breached system. It's all part of the game. Seasoned incident responders can handle this jab: "Why would you want a job like this? Are you crazy?" The truth…