A Massive Increase in RDP Brute-Force Attacks Reported During Pandemic Lockdown
Cybercriminals have been attempting to exploit the COVID-19 epidemic situation, by targeting the remote workforce with all possible attack methods. A recent report by cybersecurity company ESET also indicates a sharp increase in attacks on the remote infrastructure.
RDP brute-force attacks on the rise
In June, ESET reported that its telemetry data since December 2019 has shown a sharp increase in the brute force attacks on systems using the Windows Remote Desktop Protocol (RDP).
- The frequency of the RDP brute-force attacks had increased to more than 100,000 attempts per day in the months of April and May 2020. Between December 2019 and February 2020, the frequency of daily attack attempts was around 40,000 to 70,000 per day.
- Most of the attack attempts originated from the U.S., China, Russia, Germany, and France, while most of the targeted IP addresses were located in Russia, Germany, Brazil, and Hungary.
- In most of the attack attempts, attackers tried to install ransomware, crypto-miners, and backdoors on the target machine. Besides these attacks, hackers also attempted to steal data, install other malware, or delete log files.
Malware leveraging RDP brute-force attacks
During the past few months, many malware have been observed leveraging the RDP brute-force attack techniques to penetrate into their victim’s network.
- In June, the Nephilim ransomware operators were seen targeting the Australian Logistic company Toll Group by using exposed RDP connections for infection.
- In March, the Trickbot malware was updated to include a new module "rdpScanDll" which could allow the malware to brute-force RDP credentials.
To prevent threats related to RDP brute-forcing, use strong passwords, and minimize the number of users authorized to connect directly to the organization’s servers over the internet. If not required, disable the internet-facing RDP connections.