Remote Desktop Protocol (RDP) remains a major attack vector as it can allow threat actors to gain remote access or control over victims’ systems. A report from ReliaQuest has revealed that RDP accounted for 24% of cyberattacks in 2022, and threat actors are selling unauthorized access via RDP for an average price of $1,000 on underground forums.
Speaking in the same line, a new incident involving the exploitation of RDP has come forth in the cybersecurity landscape.
What’s the matter?
- ASEC recently discovered that Crysis ransomware attackers were scanning the internet, via brute force or dictionary attacks, for vulnerable RDP endpoints to install Venus ransomware on systems.
- Upon getting access, the attackers first attempted to encrypt the infected systems with Crysis ransomware. However, after failing to do so, the second attempt at encryption was done using the Venus ransomware.
- If the Crysis ransomware encrypts the files, the victims are shown a ransom note with an onion email address to contact the threat actors.
- If the files are encrypted using Venus ransomware, a message stating that threat actors stole information from the system and urging the users to make contact within 48 hours is displayed.
- Venus ransomware terminates various programs such as Office, email clients, and databases during the encryption process.
Other malicious tools installed
Researchers also noted various malware types on the infected systems. These included scanning and account credentials theft tools, most of them being created by NirSoft. Besides these, Mimikatz was also used in the process to perform internal reconnaissance.
RDP exploited in the wild
Cyberattacks via unsecured RDP endpoints are on the rise.
- Recently, Bitdefender Labs shared details on a cyberespionage campaign that enabled attackers to distribute RDStealer by exploiting remote desktop connections.
- In March, threat actors leveraged known remote desktop software flaws to propagate PlugX malware.
The bottom line
RDP connections are essential for remote access. As these connections grow exponentially, hackers are relentlessly carrying remote desktop protocol attacks to access and exploit enterprise networks. Therefore, organizations must follow easy-to-implement methods to prevent such attacks. This involves implementing multi-factor authentication across all devices and systems, monitoring RDP server logs frequently, and changing default credentials with strong passwords.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/07bd_shutterstock_2096551726.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/da1c_shutterstock_1919503355.jpg)
