What Is an RDP Attack and How to Protect Yourself Against It?

RDP Attacks

To say that the COVID-19 crisis caught us off guard would be the understatement of the decade. Nobody was expecting the outbreak to be this big, and when we did realize just how serious the problem was, a wave of terror resonated throughout countries and continents. Genuine panic set in, and, perhaps not surprisingly, cybercriminals tried (and, in many cases, managed) to take advantage of this.

Meanwhile, the social distancing regulations imposed in many countries meant that thousands of companies sent their employees to work from home. You probably won't be too surprised to find out that the cybercriminals have tried to exploit that as well.

Cybercriminals attack RDP while the world is stuck at home

Last week, researchers from Kaspersky presented a series of charts that illustrate yet another change brought by the COVID-19 pandemic.

It's about RDP attacks and how much more widespread they have been since the beginning of the lockdown. The numbers differ from country to country, but the trend is as clear as daylight – attacks against the RDP protocol have become much more popular ever since the coronavirus pandemic began.

This new finding won't be too much of a shock for those of you who know what RDP is. Those who don't can now find out.

What is RDP, and why do cybercriminals love it so much?

RDP is short for Remote Desktop Protocol. It's an application communication protocol that lets a user connect to a remote Windows computer or server and use the operating system's graphical interface. It was developed by Microsoft, and by default, it uses port 3389. As you might have guessed, an RDP connection to a remote endpoint happens after you enter a set of valid login credentials.

RDP has been around for a while, and attacks against it are almost as old as it is. Over the years, security researchers have identified a number of vulnerabilities, and there have been plenty of hacking tools that exploit the weaknesses. The most common way of compromising RDP, however, is with a humble brute-force attack.

Users' woeful password management habits reflect on the security of RDP as well. Armed with lists of simple and predictable login credentials, hackers can easily compromise a large number of computers and servers that have RDP running. The attack might be simple, but because it gives cybercriminals more or less unobstructed access to the compromised endpoint, the harm that could be caused by it is enormous. Because of this, there are dark web marketplaces dedicated to trading compromised RDP credentials.

The attacks against RDP-enabled endpoints have become more popular during the COVID-19 pandemic for a few obvious reasons. Although employees were sent to work from home, they still needed to have access to corporate resources over the network, and many organizations decided to establish it through the Remote Desktop Protocol. As you can see from Kaspersky's charts, the cybercriminals hope that the RDP configuration isn't especially secure in some of the cases, and unfortunately, they may well be right.

As we mentioned already, historically, system administrators have been making mistakes left, right, and center when it comes to RDP configuration, and this time, they were forced to establish a working environment for many users in a hurry, which further increases the likelihood of mistakes.

How to protect yourself against an RDP attack?

For the most part, attacks on RDP are simple brute-force attempts, and as you probably know, the simplest way to protect yourself against any brute-force attack is with a strong password that is not reused anywhere else. RDP does represent a larger attack surface, however, which is why system administrators could do worse than consider one or two other things as well.

Make sure that anyone using the protocol has updated their software, and if you have a corporate VPN, enable RDP only through it. Use two-factor authentication where possible, and try not to use the protocol's default configuration. This might not necessarily stop the hackers, but it could slow them down, and often, this is all that's needed. Last but not least, if you don't need RDP, just disable it and close port 3389.

May 4, 2020

Leave a Reply