We have been contacted by the National Cyber Crime Unit (NCCU) who have obtained and collated information from an open source, which has identified a number of hosts on the empsn network that are potentially vulnerable RDP servers (Remote Desktop Protocol or Remote Desktop Connection). This vulnerability is frequently targeted by criminals looking to undertake various malicious exploits such as a man-in-the-middle attack.
The information obtained suggests the vulnerability is compounded by the use of the standard RDP port (port 3389), although other ports are also susceptible.
Where you are using remote access services in particular using RDP, we strongly suggest that system administrators check for any potential past compromise of the servers. A scan and clean of the servers should then be undertaken in order to remove any malicious software. Once this has been completed please take action to reset all account passwords and any other accounts where the same or similar passwords are used.
As guidance on how to reduce RDP server’s vulnerabilities please consider the following information:
- Consider two-factor authentication on highly sensitive systems
- Set an account lockout policy
- Ensure your passwords are a minimum of 8 characters long and contain lower and uppercase letters, numbers and keyboard symbols
- Use unique passwords on all your accounts and do not use the same login / password combination for multiple services
- Consider changing your RDP port to a ‘non-standard port’
- Restrict access using firewalls
- Restrict/limit Access to RDP to authorized users
- Consider RDP Gateways
- Maintain up-to-date antivirus signatures and engines
- Deploy Microsoft’s Enhanced Mitigation Experienced Toolkit (EMET)
- Perform regular backups of all critical information storing data offline
If you would like more help regarding this or would like to discuss this information further, please contact firstname.lastname@example.org
How to Report a Cyber-Crime
If you believe you have been a victim of a cyber-attack or observed any criminality on your networks please report this to Action Fraud the UK’s national fraud and cybercrime reporting centre.
For further information and guidance on passwords and general cyber security please visit;
We also have information around malware removal including links to a number of tools and toolkits – https://www.empsn.org.uk/malware-removal/