A rash of brute-forcing attempts aimed at users of Microsoft’s proprietary Remote Desktop Protocol (RDP) has come to light, striking millions per week. The attacks are a likely offshoot of cybercriminals looking to take advantage of the unprecedented numbers of employees working from home amid the COVID-19 pandemic, researchers noted.
RDP is used to connect to an image of an employee’s desktop as though the person were at their desk. It’s often used by both telecommuters as well as by tech support personnel troubleshooting an issue. A successful attack would give cybercriminals remote access to the target computer with the same permissions and access to data and folders that a legitimate user would have.
According to Dmitry Galov, security researcher with Kaspersky, organizations worldwide have seen rocketing numbers of generic brute-forcing attacks, where automated scripts try different combinations of passwords and user IDs on accounts in hopes of finding a combination that works to unlock them. Brute forcing – and its cousin, credential stuffing – have been on the rise for several quarters already thanks to large numbers of credentials from data leaks and breaches making their way to criminal underground forums.
Recently though, there’s been a massive spike, and specifically on RDP accounts. The growth in the number of brute-force RDP attacks went from hovering around 100,000 to 150,000 per day in January and February to soaring to nearly a million per day at the beginning of March, as coronavirus-related remote working got underway. The volume of attacks has ebbed and flowed since then but has remained elevated into April.
Worldwide, RDP brute-force attacks are skyrocketing. Click to enlarge.
“One of the most popular application-level protocols for accessing Windows workstations or servers is Microsoft’s proprietary protocol — RDP,” Galov said in a post issued Wednesday. “The lockdown has seen the appearance of a great many computers and servers able to be connected remotely, and right now we are witnessing an increase in cybercriminal activity with a view to exploiting the situation to attack corporate resources that have now been made available (sometimes in a hurry) to remote workers.”
It is perhaps no coincidence that the TrickBot malware added a new feature in March: A module called rdpScanDll, built for brute-forcing RDP accounts.
According to research at the time, the module has been used in campaigns against telecom, education and financial services industry targets in the United States and Hong Kong, mainly. The brute-force operations were been carried out on a list of targets that are defined and sent by the attackers – more than 6,000 IP addresses.
“Brute-force attackers are not surgical in their approach, but operate by area,” Galov wrote. “As far as we can tell, following the mass transition to home working, they logically concluded that the number of poorly configured RDP servers would increase, hence the rise in the number of attacks.”
The use of strong passwords and two-factor authentication should be table stakes when it comes to securing RDP footprints, according to researchers.
“The risk of poorly secured RDP access is real, with well-established threats ranging from opportunistic ransomware to more targeted attacks,” said Tim Wade, technical director on the CTO team at Vectra, speaking to Threatpost. “At this point, deploying remote access without multi-factor authentication (MFA) is frankly negligent and must be the minimal threshold upon which security architecture around this access is subsequently based.”
IT admins should require also make RDP available only through a corporate VPN, use Network Level Authentication (NLA), and close port 3389 if RDP is not in use, Galov noted. Overall, security researchers advocate a multilayered approach.
“While RDP allows employees to rapidly access their organization’s resources, it is not without risk,” Matt Gayford, principal consultant at the Crypsis Group, told Threatpost. “Companies should implement controls at each step in the remote-work process, starting from the connection. VPN solutions using MFA should be used to protect the point of access. If an organization opens RDP to the public without any controls in front of it, they are setting themselves up for failure. MFA, used in combination with a VPN, can help protect the account from a brute-force or credential reuse attack.”
Inbox security is your best defense against today’s fastest growing security threat – phishing and Business Email Compromise attacks. On May 13 at 2 p.m. ET, join Valimail security experts and Threatpost for a FREE webinar, 5 Proven Strategies to Prevent Email Compromise. Get exclusive insights and advanced takeaways on how to lockdown your inbox to fend off the latest phishing and BEC assaults. Please register here for this sponsored webinar.
Also, don’t miss our latest on-demand webinar from DivvyCloud and Threatpost, A Practical Guide to Securing the Cloud in the Face of Crisis, with critical, advanced takeaways on how to avoid cloud disruption and chaos.
