Rise in brute-force attacks on remote desktop accounts amid COVID-19 crisis

Following the global lockdown due to the COVID-19 pandemic, organisations around the world have introduced the remote working culture to keep the day to day business running. Needless to say, this has increased the volume of cyber threats and attacks globally.

A recent study conducted by Dmitry Galov, security researcher at Kaspersky, has revealed an increase in brute-forcing attempts aimed at users of Microsoft’s proprietary Remote Desktop Protocol (RDP).

Remote Desktop Protocol (RDP) is a proprietary protocol developed by Microsoft that provides a user with a graphical interface to connect to another computer over a network connection. With remote working in place, many employees have now connected their computers with their company network remotely and are now witnessing an increase in cyber attacks.

As per Galov’s research, brute-force attacks targeting remote desktop protocols have increased remarkably since March. The main motive behind these attacks is to exploit the COVID-19 crisis to attack corporate resources that have adopted the remote working facility.

Kaspesky defines a brute-force attack as a form of cyber attack that involves cyber criminals using many username and password combinations to log in to targeted online accounts until the correct combination is found. “The search can be based on combinations of random characters or a dictionary of popular or compromised passwords,” Galov said.

“Brute-force attackers are not surgical in their approach, but operate by area. As far as we can tell, following the mass transition to home working, they [cyber criminals] logically concluded that the number of poorly configured RDP servers would increase, hence the rise in the number of attacks,” Galov added.

Galov also recommended necessary tips for RDP users to ensure all possible protection measures:

  • Using strong passwords.
  • Making RDP available only through corporate VPNs.
  • Using Network Level Authentication (NLA).
  • Disabling unused RDPs and closing port 3389.
  • Using a reliable security solution.

Security firm Kaspersky has also advised companies to keep a close watch on the use of remote desktop protocols and update them in a timely manner. Following are the firm's recommendations for organisations:

  • Give employees training in the basics of digital security.
  • Use different strong passwords to access different corporate resources.
  • Update all software on employee devices to the latest version.
  • Use encryption on devices used for work purposes.
  • Create backup copies of critical data.
  • Install security solutions on all employee devices, as well as solutions for tracking equipment in case of loss.

"Since RDP is the protocol used for admins, once it is compromised the attacker will have access to anything the admin does. The next step will be to ensure they can maintain access. This can be through other exploits like installing Remote Access Trojans (RATs) or creating more accounts with elevated privileges. After that, anything goes. This can range from data exfiltration (like in the Target breach) or Ransomware (like Saudi Aramco)," said Daniel Conrad, field strategist at One Identity.

Commenting on the widespread use of poorly-protected Windows PCs with Remote Desktop Protocol, David Kennefick, product architect at Edgescan, told TEISS last year that according to the edgescan vulnerability stats report from 2019, 3.05% of systems undergoing continuous profiling had RDP exposed. This constituted 7,625 machines in a sample of 250,000 systems. Given that all it takes is one mispatched/unpatched machine for a security incident to take place, these organisations should make sure that their patching policy is updated and that they obtain full visibility over their exposed entry points.

“The safest approach is to not allow any communication to the exposed services unless it is expected. This can be done with simple security groups in AWS and Azure, which allow you to specify where access is allowed from,” he added.

ALSO READ: New ransomware family exploiting poor security in remote desktop services

MORE ABOUT: