FBI warns companies about hackers increasingly abusing RDP connections

Millions of RDP endpoints remain exposed online and vulnerable to exploit, dictionary, and brute-force attacks.

In a public service announcement published today by the US Federal Bureau of Investigation’s (FBI) Internet Crime Complaint Center (IC3), the FBI is warning companies about the dangers of leaving RDP endpoints exposed online.

RDP stands for the Remote Desktop Protocol, a proprietary technology developed by Microsoft in the 90s that allows a user to log into a remote computer and interact with its OS via a visual interface that includes mouse and keyboard input –hence the name “remote desktop.”

RDP access is rarely enabled on home computers, but it’s often turned on for workstations in enterprise networks or for computers located in remote locations, where system administrators need access to, but can’t get to in person.

In its alert, the FBI mentions that the number of computers with an RDP connection left accessible on the Internet has gone up since mid and late 2016.

This assertion from the FBI correlates with numbers and trends reported by cyber-security firms in the past few years. For example, just one company, Rapid7, reported seeing nine million devices with port 3389 (RDP) enabled on the Internet in early 2016, and that number rose to over 11 million by mid-to-late 2017.

Hackers, too, read cyber-security reports. Early warnings from the private sector about the increasing number of RDP endpoints caught hackers’ attention long before sysadmins.

For the past few years, there has been a constant stream of incident reports in which investigators found that hackers got an initial foothold on victims’ networks thanks via a computer with an exposed RDP connection.