COVID-19 Remote Work Causes Spike in Brute-Force RDP Cyberattacks

April 30, 2020 - The number of brute-force attacks on remote desktop protocol (RDP) servers has drastically increased amid the COVID-19 pandemic, as a record number of employees are now working from home, according to security firm Kaspersky.

To remotely access Windows workstations and servers, organizations are increasingly relying on RDP servers, Microsoft’s proprietary protocol. As a result, there’s been a staggering increase in criminal activity, with hackers working to exploit the crisis to attack the corporate resources available to remote workers.

As recently noted by the Department of Homeland Security, far too many enterprises are rushing new technologies to support the spike in remote work – and are adding vulnerabilities to their threat landscape in the process.

“Since the beginning of March, the number of Bruteforce.Generic.RDP attacks has rocketed across almost the entire planet,” researchers wrote. “Brute-force attackers are not surgical in their approach but operate by area.”

“As far as we can tell, following the mass transition to home working, they logically concluded that the number of poorly configured RDP servers would increase, hence the rise in the number of attacks,” they added.

In these attacks, the cybercriminals are attempting to breach the RDP by systematically trying all possible credential combinations until they find the correct one. Researchers explained searches for username and password combinations are based on random characters, or popular or compromised passwords.

If successful, the brute-force attack would give the hacker a door into the enterprise network.

RDP brute-force attacks aren’t a new concept, especially for the healthcare. In September, McAfee reported hackers are increasingly leveraging these attacks to gain footholds into victim networks, given many are highly vulnerable and operating on legacy platforms.

In fact, Microsoft issued a rare patch for some legacy systems after researchers discovered a critical flaw known as BlueKeep. The RDP vulnerability would allow for remote code execution of RDP without authorization.

A successful exploit would spur a devastating impact, likened to the 2019 global WannaCry attack. The concern was so great that DHS and Microsoft released continued warnings throughout the year, urging organizations to apply the software update to prevent compromise.

These vulnerable endpoints are also highly favored by ransomware hacking groups. In October, the FBI warned of an increase in ransomware attacks, including brute-force attacks on RDP using trial-and-error user credentials and credentials purchased from the dark web.

Most recently, Microsoft reported a spike in human-operated ransomware attacks, with some hackers favoring exploit attempts on RDP servers.

“RDP credentials can be brute-forced, obtained from password leaks, or simply bought in underground markets,” McAfee researchers explained in an earlier report.

“Where past ransomware criminals would set up a command and control environment for the ransomware and decryption keys, most criminals now approach victims with ransom notes that include an anonymous email service address, allowing bad actors to remain better hidden,” they added.

Kaspersky researchers stressed that these remote-access infrastructure attacks will continue into the foreseeable future, which means organizations must have strong password policies in place, including using different passwords to access different corporate resources.

RDP access should only be made available through a corporate Virtual Private Network (VPN) and should also leverage Network Level Authentication (NLA), which requires users to authenticate their identity before the session connects with the server.

And two-factor authentication should be used, as well as a reliable security solution.

Employees should be retrained on digital security basics, and all software on employee devices must be updated. Encryption should also be used on all devices meant for work purposes when possible, and security solutions should be installed on workforce devices, including tools to track equipment in case of loss. Critical data should also be backed up.

If an organization does not leverage RDP, the endpoint should be disabled and port 3389 should be closed. But even if the enterprise is leveraging an alterative remote-access protocol from RDP, there are a host of vulnerabilities found in other remote access tools, such as VPNs and the VNC protocol.

“Companies need to closely monitor programs in use and update them on all corporate devices in a timely manner,” researchers wrote.

“This is no easy task for many companies at present, because the hasty transition to remote working has forced many to allow employees to work with or connect to company resources from their home computers, which often fall short of corporate cybersecurity standards,” they concluded.