RDP Password Attacks Are on the Rise During the COVID-19 Pandemic

RDP Attacks COVID-19

During their scams, cybercriminals often try to trick victims into thinking that there's an emergency that needs to be addressed quickly. By doing this, the targets are much more likely to be in a hurry to act, and when they're in a hurry, they are much more likely to make mistakes. Sometimes, however, the criminals don't need to create these emergencies. Sometimes, the emergencies are caused by outside factors, and all the crooks need to do is take advantage of the resulting errors. Last week, ESET gave us a brilliant example of how global events can create the right environment for cyberattacks.

A few months ago, countries all around the world declared a state of emergency because of the COVID-19 outbreak, and hundreds of thousands of workers were told that they should work from home. For many, this meant using their own computers and devices, but they still needed access to sensitive corporate networks and data. To avoid downtime, the setups needed to be done in a hurry, and predictably, that's where things went wrong.

Poor RDP setups lead to a spike in the number of attacks

RDP stands for Remote Desktop Protocol, and as its name suggests, it's one of the ways in which you can set up a remote connection between two devices. The coronavirus outbreak led to a spike in its usage, which, in turn, resulted in quite a lot more cyberattacks targeting employees' RDP connections. In fact, according to ESET's telemetry, in late January, about a month and a half before the World Health Organization declared the coronavirus outbreak a pandemic, the number of RDP attacks hovered around 40 thousand per day. By contrast, in May, about a month and a half after people were told to stay at home, ESET registered a peak of 100 thousand daily attacks.

Weak passwords and insecure network configurations make RDP connections easily exploitable

RDP attacks are not new. The protocol itself has been around for ages, and hackers have been exploiting it for a while. Age isn't the problem here, though.

RDP connections can be configured to be secure, but the large number of attacks we see every day proves that people just aren't doing it. The COVID-19 pandemic might be the reason for the current spike, but the attacks themselves would have been impossible if it wasn't for people's configuration mistakes.

The biggest problem is password management. Most attacks on protocols like RDP and SMB rely on brute-force techniques to guess the login credentials that enable the remote session, and the fact that the crooks are still using them after all these years proves that people are still protecting sensitive corporate data with easy-to-crack passwords. Of course, it would be even better if the crooks have no way of logging in at all, and there are tools that can ensure that as well. It would appear, however, that system administrators have failed to implement them, and when it comes to the currently exposed networks, at least a part of the reason for this is the pressure they were under to quickly close the offices when the lockdown was announced.

RDP attacks can result in anything from ransomware outbreaks to cryptojacking campaigns

The consequences of poorly configured RDP connections could be pretty catastrophic. After guessing a password and logging in, the hackers can gain administrative privileges with relative ease, which means that they can do pretty much anything they want. Ransomware operators have been using RDP to lock the data of businesses and organizations for years, and recently, they've used the access they have to steal invaluable information as well. Hackers who prefer more silent attacks can also engage in other criminal activities like cryptojacking.

All in all, RDP is a very powerful attack vector, and system administrators must take its security seriously. If their organization needs to use RDP, they should configure the firewall to disallow external connections to the protocol's ports, and ideally, they'll hide it behind a VPN gateway. Sysadmins need to be well aware of who is going to use the protocol, and they must make sure that all users employ unique, strong passwords as well as two-factor authentication.

July 6, 2020

One Comment

  • Enzo:

    Certa gente non si risparmia neanche in situazioni gravose come quella della pandemia. Grazie per l'articolo, molto interessante. Sarebbe utile scrivere un commento dedicato solo a consigli su come evitare questo tipo di attacchi.