Two months ago, the number of people working from home skyrocketed. Remote work has now become the new normal for many companies the world over. Although this change was brought about by the Covid-19 pandemic, for many organization, remote work is likely here to stay as a permanent part of their corporate culture.
To make remote work easier, many companies rely on remote desktop connections. Employees can use these connections to access their work computer’s desktop from anywhere; this way, they can work as if they were in the office. Such connections, however, go hand in hand with some serious security risks.
Brute force attacks against RDP
One of the most common ways to connect to remote desktops is with RDP (Remote Desktop Protocol), a proprietary Microsoft protocol that is available in all versions of Windows starting with XP.
In recent weeks, the number of brute force attacks on RDP connections has shot up. These are automated attacks whose aim is to take over corporate desktops and infiltrate networks. If a cybercriminal managed to get a foothold this way, they could do all the things that a legitimate employee can including accessing confidential data and using corporate email. The illegitimate use of corporate email addresses could facilitate spear phishing attacks. This sudden increase in attacks in doubtless related to the unprecedented number of people working from home.
Even before the current situation, this kind off RDP cyberattack was extremely common: There were around 150,000 attempts every day. However, at the start of March, when the stricter lockdown measures came into effect, almost a million attempted brute force attacks on RDP connections were registered every day.
TrickBot facilitates RDP attacks
It is no coincidence that in March, the notorious Trojan TrickBot added a new module—rdpScanDll—that is used to carry out brute-force attacks on RDP connections. This module has been used in attacks against several targets, including organizations in the education and financial services sectors.
The dangers of this protocol
This spike in RDP attacks is not the only security problem that this protocol has experienced in recent years. In May 2019, a serious vulnerability called BlueKeep was discovered in older versions of the protocol. Just a month after it was discovered, an active campaign was spotted exploiting this vulnerability. Then, in August of the same year, four new vulnerabilities were discovered in the protocol.
Protect your RDP connection
RDP connections are an ideal attack vector for cybercriminals: A poorly protected RDP connection can provide them with access to the whole corporate system. For this reason, protecting such connections must be a priority for any company that is using them to work at the moment.
To protect endpoints against brute force attacks, it is important to use a secure password and not to recycle old passwords. This last point is especially important when it comes to stopping credential stuffing attacks, which try to gain access to systems using password gathered in data breaches, and which are similar to brute-force attacks.
Doing away with these connections is not an option right now. This means that companies need the capacity to monitor absolutely all the activity on the company’s endpoints to be able to spot any suspicious RDP activity. Panda Adaptive Defense constantly monitors all of the activity of every system process. In addition to stopping any unknown process, it monitors the behavior of known processes. This way, it can stop any malicious use of legitimate tools.
RDP connections make remote work much easier for a huge number of companies. Make sure they are properly protected with Panda Adaptive Defense.
1 comment
This is the 3rd or forth write up I’ve looked at re: RDP vulnerabilities. All talk about things you can do to configure RDP correctly and talk about making sure password are complex and there is a limit to number of login attempts. Only 1 such article so far talks about the most important and best way to protect your infrastructure. VPN . Why is this not the first thing to do? Having a Windows logon available at all, is just asking for trouble. I’ve been working in IT for 35 years in different roles, and I’ve never configured a client to have RDP access without a VPN, and no one else should either.