Many IT services providers use a remote desktop support solution to help manage their customers' computers. Remote support connections are often done via the remote desktop protocol (RDP). However, security experts warn that RDP leaves a listening port open on the target machine, which would-be attackers could exploit. The truth is RDP vulnerabilities aren’t the only things you need to be concerned about. Weak password protection on the remote connection can make it easy for cybercriminals to break into the session and gain access to everything on a user’s computer. What’s more, sometimes human error leaves the door wide open for the bad guys to get in.
If you’re serious about your customers’ cybersecurity—and you absolutely should be if you want to keep their business—then you need to find a remote support solution that takes security just as seriously.
What type of attack is RDP vulnerable to?
Let’s look at some of the different types of cyberattacks a cybercriminal can execute via a remote access vector using RDP. The proprietary protocol developed by Microsoft provides access to a client from a server via encrypted TCP traffic. Poorly secured RDP gives hackers a potential entry point into enterprise networks. Hackers are well aware of the extensive use of RDP within organizations and target it as a method to proliferate their attacks.
RDP sessions are susceptible to man-in-the middle attacks where the hacker intercepts all communications sent between a client and a terminal server using Address Resolution Protocol (ARP) spoofing or Domain Name System (DNS) spoofing. They can use this to spread ransomware or implant arbitrary executables within organizations.
RDP sessions are also prone to in-memory credential harvesting. Capturing and selling RDP credentials on the Dark Web has been lucrative for a lot of hackers. xDedic was a notorious online marketplace where cybercriminals would buy and sell access to hacked servers, as was revealed in a Kaspersky report published in June 2016. The report warned that 250,000 credentials for RDP servers around the world appeared to be for sale for as little as $6 each. The site went underground and continued to operate until 2019 when it was shut down in a joint effort by the FBI and several European countries authorities.
Denial of service
Hackers can also use a brute-force attack to gain access to RDP credentials. During an attack, a malicious actor will scan a range of IP addresses, look for open ports used by RDP, and use a brute-force method, such as a dictionary attack, to attempt to determine the password. This brute-force attack may serve as a denial of service (DoS) against the operating system’s memory or storage, disrupting its normal function, and preventing other users from accessing it.
What else could go wrong?
Even if you’re not using an RDP-based remote desktop solution, as with any piece of software, bugs or insider threats may arise sooner or later. Some are malicious, some are accidental, but either way they can do serious damage.
A researcher at SafeBreach in 2019 discovered a critical security exploit in the TeamViewer admin permissions. Cybercriminals could have used it to load and execute malicious payloads in a persistent way, each time the service loaded.
Weak password protection
In the absence of a multifactor authentication mechanism, a hacker is free to guess a user's password. If passwords are weak or reused—by technicians or employees—across several accounts, the breach becomes easier for a motivated hacker with access to compromised credentials from past data breaches.
Social engineering via remote access
It can still be easy to fall for scams in this day and age. In a recent Reddit thread, a user detailed how someone allegedly from China asked him to remotely use his computer in exchange for payment, probably looking for a fall guy to scam others. In this case, the attack vector would have been used with the computer owner’s consent, exploiting his weakness at the prospect of making easy money.
Choosing the right remote desktop access tool