Security vendor McAfee has discovered an underground trade in RDP login credentials that can provide attackers with access to Windows systems. Here are some ways to protect your business.
RDP (remote desktop protocol) is used to control one computer from another. This can save support staff from having to physically access a PC in order to correct technical issues, something that is especially important if you outsource tech support - who would want to pay for an hour or two of travel time when the actual task only takes a couple of minutes?
According to McAfee, miscreants are scanning the internet for systems that accept RDP connections, and then attempting to discover valid usernames and passwords by using a variety of tools. These credentials are then offered for sale.
This presents several problems for the owners of compromised systems.
Firstly, almost all of the data on these systems can be accessible to someone with the RDP credentials. They could steal information (especially other credentials, data that can assist in identity fraud, or sensitive data that could be used for extortion), or encrypt it and hold it to ransom (much like the ransomware model, but without having to get malware past security software and then tricking the victim into running it).
Secondly, attackers can set the system to work mining cryptocurrency or distributing spam.
Thirdly, they may use the compromised computer to attack other systems, making it look as though it was the actual source of such incursions. It would be embarrassing to say the least if your business was raided by police investigating such an attack.
McAfee recommends these steps to help protect against RDP attacks:
• Using complex passwords and two-factor authentication will make brute-force RDP attacks harder to succeed
• Do not allow RDP connections over the open Internet
• Lock out users and block or timeout IPs that have too many failed login attempts
• Regularly check event logs for unusual login attempts
• Consider using an account-naming convention that does not reveal organisational information
• Enumerate all systems on the network and list how they are connected and through which protocols. This also applies for Internet of Things and POS systems
It would also seem sensible to ensure that Remote Desktop is disabled unless it is actually needed on a particular computer.