COVID-19 , Governance & Risk Management , Remote Workforce
RDP Brute-Force Attacks Rise During COVID-19 Crisis: ReportAttackers Targeting At-Home Workers Connecting to Corporate Networks
The number of brute-force attacks targeting remote desktop protocol connections has spiked since the Covid-19 pandemic forced employees all over the world to work at home, according to an analysis from security firm Kaspersky.
RDP is a proprietary Microsoft communications protocol used by system administrators and employees to remotely connect to corporate systems and services. In many cases, RDP is accessed through usernames and passwords, which can make them susceptible to brute-force attacks.
See Also: A Guide to Passwordless Anywhere
As a result of the shift to telework and the surge in the use of RDP, attackers now have more opportunities to target weak credentials with brute-force methods, according to the Kaspersky analysis.
"Attacks of this type are attempts to brute-force a username and password for RDP by systematically trying all possible options until the correct one is found," the report notes. "The search can be based on combinations of random characters or a dictionary of popular or compromised passwords. A successful attack gives the cybercriminal remote access to the target computer in the network."
In March, the operators of the Shodan search engine released a report that showed the number of internet-connected devices with RDP connections had grown this month to about 4.6 million worldwide.
Credentials that can be used in brute-force attacks can be purchased on darknet sites and underground forums for as little as $20 for a batch of usernames and passwords, researchers say.
Once RDP connections are compromised, attackers can deploy malware, steal data or move laterally throughout a corporate network to conduct further reconnaissance (see: Ransomware: Average Business Payout Surges to $111,605).
"We can't say how attackers behave in case of a successful compromise of workstation, but possible scenarios include ransomware, corporate espionage and loss of personal data," Dmitry Galov, a security researcher at Kaspersky who worked on the report, tells Information Security Media Group.
While earlier spikes in brute-force RDP attacks have come and gone across different regions, the increase since the COVID-19 pandemic is global in scope, Galov says.
"During the last year, there were some spikes of such attacks in different regions, but they were mainly local and small," Galov says. "Right now, we can see that almost worldwide, the amount of attacks increased significantly. For instance, in February we witnessed 93,102,836 attacks globally. In April the figure was already 326,896,999."
In the U.S., for example, the number of brute force attacks targeting RDP on Jan. 2 stood at about 256,000. That number increased to 586,000 on March 3 and spiked to 1.4 million attacks on April 7, according to the Kaspersky analysis.
Other regions have seen similar brute-force attack spikes. In Germany, for example, attacks increased from about 130,000 on Jan. 2 to a high of 830,000 on April 12, according to the report. Italy recorded a spike of 980,000 brute-force attacks targeting RDP on March 17, and Russia saw 960,000 brute-force attacks on April 15.
To counter these attacks, Kasperksy recommends developing stronger passwords, only using RDP connections through a corporate VPN, deploying two-factor authentication and disabling port 3389 if RDP is not in use.
Brute-force attacks targeting devices with RDP connections likely will decline later this year when security teams develop new policies for remote workers, Galov says.
In addition to Kaspersky, other security firms are warning about a spike in attacks targeting RDP connections.
Microsoft, for instance, released a report this week about common ransomware attacks, noting that many of these start when attackers use brute-force methods to target RDP connections to gain a foothold within a network (see: 10 Ransomware Strains Being Used in Advanced Attacks).
Managing Editor Scott Ferguson contributed to this report.