Malicious actors are compromising Australian business Remote Desktop Protocol (RDP) services, also known as Windows Terminal Services or Windows Remote Desktop.
In 2018 and 2019, the ACSC knows of more than 48,000 Australian RDP services that were accessible on the Internet, exposing more than 2,000 Australian businesses.
The ACSC believes these compromises are part of ongoing campaigns to exploit cybersecurity weaknesses within Australia. These campaigns may result in major ransomware incidents, including the destruction of online backups and core services and significant business disruption and monetary loss.
RDP services are often associated with key operational systems and a compromise can lead to:
- theft of data and intellectual property
- reputational damage, including with supply-chain partners
- long-term malicious intrusion into an affected business
- extortion via maliciously encrypted business data
How does it happen?
Adversaries gain entry to RDP services via:
- Brute forcing credentials with automated tools
- Using stolen credentials
- Exploitation of known RDP vulnerabilities
Protect your systems
Australian businesses with in-house IT support should:
- Protect your key systems by:
- Enabling Multi-Factor Authentication on all Remote Desktop Protocol (RDP) services
- Logging all connections and monitoring for unusual activity
- Ensuring all systems have a supported operating system and patches
- Check that your systems are not visible to well-known Internet scanning tools
- Restrict access to RDP services, to authorised networks only.
Australian businesses with managed IT support should consider ensuring you and your provider(s) have:
- contractual arrangements based on an up-to-date assessment of threats
- clearly defined and agreed roles and responsibilities
- established appropriate monitoring of all management traffic for at least 90 days
- discussed membership of the ACSC’s MSP3 program with your provider(s)
The Australian Government Information Security Manual, our guideline for system management, can help organisations to use their risk management framework to protect their information and systems from cyber threats.
Remote Desktop Services – Microsoft customer guidance
On 14 May 2019, Microsoft issued a security advisory about a new vulnerability that affects older Microsoft operating systems. The update addresses a vulnerability that malicious actors may use to gain access to, or perform other malicious activity.
Microsoft also wrote a blog post about the potential impact to customers using affected platforms and included advice on mitigation strategies.
The ACSC highly recommends patching your affected systems, until you can migrate to a supported operating system.
What to do if your company is compromised
If your organisation has been a victim of a cybercrime, report it to the Australian Cybercrime Online Reporting Network (ACORN).
To learn more about the OAIC Notifiable Data Breaches scheme, go to the OAIC website.
To report a cyber security incident, email email@example.com or call 1300 CYBER1 (1300 292 371).
More information on improving cyber security within your business is available via cyber.gov.au