Researchers from Microsoft have analyzed several months’ worth of data to investigate RDP brute force attacks occurring across Microsoft Defender ATP customers. The study involved 45,000 machines that had both RDP public IP connections and at least 1 network failed sign-in.
The experts discovered that, on average, several hundred machines per day had a high probability of being targeted by RDP brute force attack attempts.
The experts noticed that the brute force attacks lasted 2-3 days on average, with about 90% of cases lasting for 1 week or less, and less than 5% lasting for 2 weeks or more.
Around 0.08% of RDP brute-force attacks are successful, and RDP brute-force attacks last 2-3 days on average.
The experts collected details about both failed and successful RDP login events, these events are coded with ID 4265 and 4264, respectively. Researchers also collected the usernames a user/attacker might have used.
In the attempt to remain under the radar, the attacks lasted days rather than hours, this means that attackers only try a few combinations per hour in each day.
“Out of the hundreds of machines with RDP brute force attacks detected in our analysis, we found that about .08% were compromised.” continues the report.
“Furthermore, across all enterprises analyzed over several months, on average about 1 machine was detected with high probability of being compromised resulting from an RDP brute force attack every 3-4 days.”
According to Microsoft, The Netherlands, Russia, and the United Kingdom have a larger concentration of inbound RDP connections from high-abuse IP.
Microsoft experts recommend using multiple indicators for detecting RDP inbound brute force traffic on a machine, such as:
“Monitoring suspicious activity in failed sign-ins and network connections should be taken seriously—a real-time anomaly detection capable of self-updating with the changing dynamics in a network can indeed provide a sustainable solution.” concludes Microsoft.
[adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – RDP brute-force attacks, hacking)
[adrotate banner=”5″]
[adrotate banner=”13″]
The MITRE Corporation revealed that a nation-state actor compromised its systems in January 2024 by…
China-linked threat actors are preparing cyber attacks against U.S. critical infrastructure warned FBI Director Christopher…
The United Nations Development Programme (UNDP) has initiated an investigation into an alleged ransomware attack…
BlackBerry reported that the financially motivated group FIN7 targeted the IT department of a large…
An international law enforcement operation led to the disruption of the prominent phishing-as-a-service platform LabHost.…
Russia-linked APT Sandworm employed a previously undocumented backdoor called Kapeka in attacks against Eastern Europe since…
This website uses cookies.