Today's top stories

What is an RDP attack? 7 tips for mitigating your exposure

Microsoft's Remote Desktop Protocol has become a popular attack vector. Here's what you need to know about the threat.

Become An Insider

Sign up now and get FREE access to hundreds of Insider articles, guides, reviews, interviews, blogs, and other premium content. Learn more.

Microsoft's Remote Desktop Protocol (RDP) is used for remotely connecting to Windows systems. In an RDP attack, criminals look for unsecured RDP services to exploit and access enterprise networks. It’s frighteningly easy to do so because many organizations fail to secure RDP services against improper access.

Over the past year, RDP has become the top attack vector for ransomware. Threat actors have repeatedly exploited internet-exposed RDP services to install ransomware on systems and networks belonging to numerous major organizations. In July, the SamSam group infected some 7,000 Windows PCs and 1,900 servers at LabCorp with ransomware via a brute force attack on an RDP server. In another incident this year, Hancock Health was forced to pay over $50,000 in ransom to regain access to critical data that criminals had encrypted after breaking into its network via a hospital server running RDP services.

Attackers have also exploited RDP to install cryptomining tools, keyloggers, backdoors and other malware on enterprise systems. Many have used RDP services to establish a foothold on an enterprise network, to elevate privileges, harvest credentials, to move laterally inside a compromised environment and to plant false flags for misdirection purposes.

"The payoff from a successful RDP attack is huge," says Rishi Bhargava, co-founder at Demisto a provider of security automation and incident response technology. Even if pulling off an RDP attack can sometimes take a little effort, the range of devices that attackers can influence once they’ve accessed an RDP is dangerously large, he says.

To continue reading this article register now

SUBSCRIBE! Get the best of CSO delivered to your email inbox.