RDP Brute-Force Attacks on the Rise During the Coronavirus Epidemic

Recent reports from several vendors suggest that brute-force attacks targeting Remote Desktop Protocol (RDP) endpoints have been on a rise in the past few months.

The quarantine effect

During the period of March to April 2020, a large number of organizations around the globe implemented work-from-home to withstand corona-epidemic, which lead to exposure of remote working infrastructure, including RDP endpoints.

  • The internet indexing service Shodan reported a 41% increase in the number of RDP endpoints available on the internet in the month of March.
  • In the same duration, the number of attempts of brute-force attacks against RDP also spiked globally, growing by around three to four times.
  • Particularly in the US, the average number of RDP brute force attack attempts increased from around 200,000 per day in January 2020, to between 600,000 to 800,000 in February and March 2020, and then it further jumped to 1.2 million to 1.4 million in April 2020.

How it works

RDP (aka Remote Desktop Protocol), Microsoft’s proprietary protocol for network connectivity, can be used for remote administrator access to Windows machines via a password-based authentication mechanism.

  • In any network, a brute force RDP attack would scan the IP ranges and TCP port ranges the default being 3389 for RDP servers, which could be either client or the server systems.
  • Once an attacker finds an RDP server, he would attempt to log on, particularly as an Administrator.
  • Since there is no default restriction on the number of failed attempts, an attacker can try hitting the EDP connections with a large number of password combinations, until they are able to penetrate into the remote machine.

Recent attacks in the wild

There are several malware already known to be using the RDP brute-force attack to target its victims.

  • In March 2020, a new TrickBot module (rdpScanDll) was observed, that allowed the malware to brute-force Remote Desktop Protocol (RDP) credentials.
  • In September 2019, Smominru botnet was observed to infect nearly 90,000 machines in a month, by performing brute force attacks on MS-SQL, RDP, and Telnet services, as well as by using EternalBlue vulnerability.
  • In June 2019, the GoldBrute Botnet was found brute-forcing around 1.5 million RDP Servers across the globe.
  • In January 2019, the infamous CryptoMix ransomware was enhanced with several new tricks, one of which was the capability to conduct RDP Brute-force attacks.

How to stay safe?

Here are some guidelines to avoid becoming a victim of an RDP brute force attack.

  • Avoid the default ‘Administrator’ accounts and try to create new custom user accounts. Use strong usernames and passwords. 
  • Set role-based privileges to all the remote access accounts, and for all users, allocate only the minimum required privileges only.
  • Set up a simple policy of accounts getting locked out after a certain number of failed attempts within a specified amount of time.
  • Use RDP Gateways, that offers a point-to-point RDP connection and thus avoiding risks associated with traditional remote user access to all internal network resources.