Businesses today are facing unprecedented challenges: Economies that are wobbly, full workforces who are suddenly working from home, uncertainty as to how and when business can go to back to normal (and just what “normal” will mean) – and concern about possible “second wave” events. As if all that was not enough, many companies are experiencing cyberattacks enabled by the very technology that enables their newly remote workforce to continue their work. Brute force attacks on RDP-based remote access methods have reached all-time highs, as cybercriminals exploit vulnerabilities for their own gain.
RDP (Remote Desktop Protocol), a proprietary network communications protocol developed by Microsoft, allows a user to remotely access another computer graphically. Many vendors besides Microsoft provide RDP-based clients as well.
Brute force attacks targeting RDP in the US averaged 256,000 per day in January and February 2020. By March 12, attacks surged to over 800,000 per day. That represented a shocking new level of attacks — until early April when brute force attacks on RDP ports peaked at over 1.4 million each and every day.
Why attack RDP? And why now?
Three factors make RDP remote access methods particularly attractive for cyberthieves to exploit now:
- Sheer quantity: Many more people are working from home now and using RDP than ever before.
- Easy access: Many people choose common or predictable usernames.
- Poor defenses: Despite best practices and expert advice, many people choose short simple passwords that are easy to remember – and therefore vulnerable to brute force attacks.
All of this means that potential targets are more numerous, more identifiable and easier – and cheaper — to exploit than they were just a short while ago. In fact, a batch of usernames and passwords for brute force attacks can cost as little as $20 on the dark web.
Recent reports that TrickBot malware has been upgraded to brute-force RDP accounts are clear indications of the growing popularity of RDP attacks.
RDP Attack Goals
RDP may present ripe opportunities for cybercriminals, but it is the potential for significant rewards that makes those opportunities attractive to exploit.
Criminals may have diverse objectives for their attacks:
- Ransomware. Once inside a network, a hacker can install ransomware that locks up all the data on the network. Unfortunately, many companies don’t do an adequate job of backing up their data and establishing redundant systems, making them vulnerable to ransomware demands. The average ransomware payout to get data back is $541,010111,605 – an attractive enough incentive for cybercriminals to break in.
- Corporate espionage. Unscrupulous competitors may try to steal corporate secrets directly, or pay cybercriminals to steal the secrets for them. Or criminals may steal secrets and try to sell them after the fact.
- Identity theft. Cyberthieves can discover and steal employees’ personal information. Using that data, they can directly hack into bank accounts, demand ransom, or sell the information to others on the dark web.
Protect Your Network
There are several things you can do to avoid becoming a victim of an RDP-based brute force attack:
- At a minimum, require users to use strong (long and complex) passwords.
- Make sure all users have been trained – and practice – the basics of digital security.
- Require two-factor authentication. It’s a minor inconvenience for users that pays big dividends in security.
- Only allow users to access RDP only via a VPN or other encrypted connection.
- Use anti-virus/anti-malware software.
- Be diligent about backing up your data.
- If you’re not using RDP, disable it and close port 3389.
Of course, the best way to avoid RDP-based attacks is to use a secure application and remote desktop access solution that prevents RDP from being exposed. Choose a clientless solution like Ericom Connect that can be installed quickly, easily and from a remote location, even on target desktops, so admins can also work in the safety of their own homes. Browser-based access to remote desktops cuts learning curves for users, who work just as they do in the office, only via a browser. Make sure that the solution is highly scalable and supports all the security features recommended above – multifactor authentication, single sign-on and integration with VPNs.
Criminals see crises as opportunities – after all, especially in black swan events, there will be many organizations that respond in ways that expose them to risk.
Now that the most businesses are past the initial shock, its time to step back, reassess, and seek a robust remote access solution that will not only allow all users to access the resources they need, but allows them to do so in a way that is comfortable for users, easy for IT, and keeps valuable organizational resources safe from the hackers who are ready to attack. There is no time like the present to migrate to the most secure remote access methods — a secure remote desktop solution like Ericom Connect.