The number of daily brute-force attacks against Windows remote desktop service has almost doubled during the pandemic lockdown, telemetry data shows.
With the increase of remote workers during the COVID-19 period, many users no longer relied on the infrastructure monitored by the company to access sensitive information on the network.
Thousands of daily attacks
Personal device became the main instrument to connect to the work environment via remote desktop services, Windows Remote Desktop Protocol being the most prevalent.
Convenience in this context took precedence and many users set up easy-to-guess passwords without enforcing additional security layers, such as two-factor authentication.
Cybercriminals did not waste this opportunity and increased the number of brute-force attacks targeting RDP services, in an attempt to gain access to the company network, increase privileges to admin level, and deploy their malware.
Telemetry data recorded by cybersecurity company ESET since December 1, 2019, shows a steep increase in the daily number of brute-force attacks against RDP.
Between December 2019 and until February 2020, the values were between 70,000 and 40,000 attacks on a daily basis. The upward trend started from February, when the number shot to 80,000.
Since then, the values steadily rose and went past 100,000 in April and May, which corresponds to when most countries with a high number of COVID-19 infections had declared a national emergency and were in pandemic lockdown.
According to ESET, most of the attacks between January and May 2020 originated from IP addresses in the U.S., China, Russia, Germany, and France. ost of the targeted IP addresses were in Russia, Germany, Brazil, and Hungary, ESET telemetry data shows.
The company says in a report today that ransomware is the main risk following an RDP compromise, since cybercriminals can extort victims for decrypting company data. However, cryptocurrency mining and backdoors are also a common end game for the attackers.
ESET provides the following scenarios that could follow an RDP compromise:
- clearing of log files to remove evidence of previous malicious activity
- downloading and running the attacker’s choice of tools and malware on the compromised system
- disabling of scheduled backups and shadow copies or completely erasing them exfiltrating data from the server
One recommendation from the cybersecurity company to defend against this type of attacks is to disable RDP connection that can be accessed from the public internet.
However, this defense should be supported by other steps like using strong, unique passwords for all accounts accessible via RDP and enforcing an additional layer of authentication – two/multi-factor authentication.
Increased protection is given by installing a virtual private network (VPN gateway that brokers all RDP connections from outside the local network. Part of the best practices are the following recommendations, which apply to other services (SMB, FTP, SSH, SQL, VNC), too:
- at the perimeter firewall, disallow external connections to local machines on port 3389 (TCP/UDP) or any other RDP port
- protect your endpoint security software from tampering or uninstallation by password-protecting its settings
- isolate any insecure or outdated computers that need to be accessed from the internet using RDP and replace them as soon as possible