Remote desktop protocol (RDP) exploded in popularity when the Coronavirus disease (COVID-19) pandemic ignited sweeping lockdowns and work-from-home orders because it enabled workers to continue work while away from the office. However, they are not without their security issues, such as commonly exposed port access points and weak sign-in credentials. Today, RDP is one the most common ways attackers compromise network security simply due to its ubiquitous nature and improper security.
With the rapid adoption of new technology within the manufacturing environments, the number of systems exposed to the internet increases significantly year over year. This creates more opportunities for attackers to break into these systems via unpatched software or weak RDP. Moreover, as COVID-19-related uncertainty persists, expect to see an increase in the number of manufacturers’ environments compromised via exposed remote desktop protocols, especially as remote work continues.
For the manufacturing industry specifically, RDP poses significant value to the business. The centralized management capabilities it provides saves IT leaders time and is often viewed as “worth the cyber risk.” However, the reality is that RDP is a weak administrative tool that enables cyberattacks to stealthily carry out attacks and remain in the shadows from days to months, if an organization is not paying close enough attention. Furthermore, the manufacturing industry is one of the most vulnerable to this attack with the highest rate of malicious RDP detections.
Exposed RDP are extremely attractive targets for cyber attackers, as there are many vulnerabilities they can utilize to attempt to gain a foothold in a network and launch their attack. As most organizations use RDP, the likelihood of discovering an exposed network is high. Once in the network, cyber attackers can perform whatever action they desire, such as deploy ransomware or data exfiltration for IP theft, data reselling or extortion. Additionally, RDP is increasingly becoming the most popular attack vector for ransomware operators, nearly edging out phishing. Furthermore, some cyberattackers sell RDP credential on multiple underground communities and forums as means to make an extra buck.
Exposed RDP is the speculated method used in the ransomware attack targeting a Honda manufacturing plant in June 2020. Although the attack is still being investigated, the cyber attackers allegedly targeted OT systems and publicly exposed RDP to deposit ransomware, which spread and infected numerous endpoints on the network. As a result, operations around the world were shut down and production was at a standstill.
To avoid falling victim to this type of attack, organizations, including manufacturers, must perform frequent vulnerability scans or third-party pen-testing to identify where their weak spots are. An organization must know where they are vulnerable in order to appropriately defend themselves. Other methods to inform and protect your organization include subscribing to intelligence feeds and implementing end-user phishing training specific to your industry.
Additional steps IT leaders can take to protect their organization from RDP attacks include:
- Restrict access to RDP connections to trusted sources
- Audit connectivity logs for unknown connections
- Implement two-factor authentication (2FA) for RDP logins
- Audit administrative accounts regularly to ensure unexpected accounts haven’t had their permissions escalated to an admin account
In addition, staying apprised of the latest intelligence enables administrators to stay a step ahead of threat actors. When IT leaders understand why cyber attackers are targeting the industry they operate in and the various tactics, techniques and procedures to carry out these attacks, they are better equipping themselves to protect their resources.
No organization should access the risk posed by RDP simply because their business relies on it to move the business forward. Instead, the focus should be on securing RDP so there is one less avenue for attackers to exploit.
