VIgilante has identified a trend of threat actors are using Remote Desktop Protocol (RDP), not email, to gain access to a victim’s network.
The threat actor first hacks a third-party vendor, identifies and acquires a victim’s RDP credentials, and then gains access to their clients’ systems.
It seems that every day we read about cyberattacks that gain traction via phishing or other email attack vectors; however, stolen RDP credentials are now the most common way that ransomware attackers gain access to a victim’s network. In at least one case, hackers claimed to have found a vendor’s clients’ RDP credentials in plain text in a text file the vendor had left unencrypted on their desktop.

Designed by Microsoft as a method for remote access and management, RDP is used by hackers as an attack vector in 70-80% of recent attacks, according to an FBI spokesperson at the Feb. 25, 2020 RSA conference. The use of RDP attacks has partly been driven by dark web markets selling RDP access relatively cheaply.

  • One of the most infamous examples was the 2016 hacking spree of numerous healthcare entities by threat actors calling themselves “thedarkoverlord.” In time, an investigative journalist learned that the threat actors had purchased compromised RDP servers on the Dark Web forum, RDP shop, and marketplace known as xDedic.

RDP connections are often left enabled even when not in use, according to an FBI alert issued in 2018. Vigilante urges those who do not use RDP to ensure that it is disabled, and those who do use RDP implement the following FBI suggestions:

  • Create strong passwords and change them regularly,
  • Always use strong access controls, such as two-factor authentication,
  • Have RDP disabled by default and only have RDP enabled when you are actively using it.