Pierluigi Paganini June 29, 2020

Researchers revealed that the number of daily brute-force attacks on Windows RDP has doubled during the pandemic lockdown.

Security experts from ESET revealed that the number of daily brute-force attacks on Windows RDP has doubled during the COVID-19 lockdown.

The phenomenon is not surprising because during the COVID-19 lockdown employees were forced to work from home remote accessing company infrastructure.

Cybercrimianls are aware of this situation and are attempting to take advantage of the crisis, in April researchers from Kaspersky Lab reported a significant increase in the number of RDP brute-force attacks since the beginning of the COVID-19 pandemic.

Early April, researchers from Shodan reported a 41% increase in the number of RDP endpoints exposed online, since the beginning of the COVID-19 pandemic.

RDP brute-force attacks skyrocketed in March due to remote working imposed during the COVID-19 pandemic that forced organizations to deploy more systems online accessible through RDP connections.

Threat actors, especially ransomware operators, intensified their operations attempting to brute-force Windows remote desktop service to access target organizations.

ESET researchers also said the attackers also attempt to exploit RDP connections to try to install coin-mining malware or create a backdoor.

Threat actors also conduct the following actions after an RDP compromise:

• clearing of log files, thus removing the evidence of previous malicious activity,
• downloading and running the attacker’s choice of tools and malware on the compromised system,
• disabling of scheduled backups and shadow copies or completely erasing them, or
• exfiltrating data from the server.”

Unfortunately, most organizations often neglect the protection of RDP accesses and workers use easy-to-guess passwords and with no additional layers of authentication or protection.

ESET telemetry data shows a significant increase in the daily number of brute-force attacks against RDP.

Between December 2019 and until February 2020, the experts observed a number of attacks between 70,000 and 40,000 on a daily basis. The situation changed from February, when the number reached 80,000.

The number of attacks surpassed 100,000 in April and May, while most countries were reporting a peak in the COVID-19 infections.

Most of the attacks between January and May 2020 originated from IP addresses in the U.S., China, Russia, Germany, and France. Most of the targeted IP addresses were in Russia, Germany, Brazil, and Hungary, ESET telemetry data shows.

Below the recommendations provided by ESET on how to configure remote access correctly:

• Disable internet-facing RDP. If that is not possible, minimize the number of users allowed to connect directly to the organization’s servers over the internet.
• Require strong and complex passwords for all accounts that can be logged into via RDP.
• Use an additional layer of authentication (MFA/2FA).
• Install a virtual private network (VPN) gateway to broker all RDP connections from outside your local network.
• At the perimeter firewall, disallow external connections to local machines on port 3389 (TCP/UDP) or any other RDP port.
• Protect your endpoint security software from tampering or uninstallation by password-protecting its settings.
• Isolate any insecure or outdated computers that need to be accessed from the internet using RDP and replace them as soon as possible.
• For a detailed description of how to set up your RDP connection correctly, please refer to this article by ESET Distinguished Researcher Aryeh Goretsky.
• Most of these best practices apply to FTP, SMB, SSH, SQL, TeamViewer, VNC and other services as well.

Pierluigi Paganini

(SecurityAffairs – hacking, COVID-19)

[adrotate banner=”5″]

[adrotate banner=”13″]