Remote Desktop Protocol, also known as RDP, is a widely-used protocol developed by Microsoft that allows us to connect to and control other devices in the network. Its graphical interface and powerful capabilities have allowed RDP to become a standard in the industry, being used by countless organizations and professionals to keep operations up and running.
RDP is a critical element in IT and OT infrastructures around the world and its importance is bound to become more evident in the future. Nonetheless, using RDP comes with significant cybersecurity challenges that we need to address beforehand.
It’s known that to find public-facing ports, we only need to browse Shodan’s results, which is the search engine for the Internet of Things and interconnected devices. This has been the subject of many critics as Shodan makes it possible for malicious agents to quickly find unprotected (or poorly protected) ports.
According to McAfee, the United States and China have the most exposed systems in the world, summing up to 1.3 million vulnerable devices each.
Unfortunately, the most common way for hackers to exploit these ports and access remote devices continues to be by exploiting weak passwords. It may be hard to believe, but weak passwords continue to be a prevalent practice, even among major organizations with big cybersecurity budgets.
There is worrying evidence showing that some of the most common passwords for RDP systems are simple words such as “password” and “admin”. Using weak passwords may be one of the biggest problems we currently have in cybersecurity.
Besides trying to breach in by guessing weak passwords, malicious agents also make use of stolen credentials being sold and shared on criminal forums, a methodology that is increasing in popularity.
Good Solutions to Implement Today
Let’s begin with the obvious: strong passwords.
Every single cybersecurity awareness training program will start by lecturing professionals on the importance of strong passwords. And despite this is common knowledge now, millions out there continue to use very weak passwords in critical systems. A strong password can successfully protect our assets from brute force attacks and save us from a lot of pain.
Implementing multi-factor authentication is a popular practice that adds a very effective layer of protection to our systems, even if cybercriminals have our passwords in their power.
In the case of RDP, changing the default port (port 3389) is a good practice to block hackers from finding and accessing our devices with little to no effort.
Finally, keeping RDP software up-to-date is an essential part of protecting our assets. New updates from vendors aim to fix potential vulnerabilities and improve the software capabilities in terms of cybersecurity.
When Good Practices Aren’t Enough
We must address the case of one of our clients who suffered a breach through RDP.
The client used strong passwords, multi-factor authentication, a firewall, and kept the systems up-to-date. However, this wasn’t enough to keep the threat at bay.
After we took control and began monitoring the affected network, we discovered that the internal devices were connected to an external Internet connection from Europe, which made no sense considering that our client’s operations are based in the US.
By monitoring the network, we also discovered that the hackers found a way into the network, infecting the devices with malware and using them as bots and for espionage. Actually, one of the main affected devices was a CCTV camera server.
In this case, we learned that even effective mechanisms aren’t enough on their own. Monitoring activities, like the ones executed and automated by Julie Security, play a critical role in keeping systems secure. Detecting threats is a must if we are planning to act on time to counter ongoing attacks.