What are RDP attacks and how to spot them?

Malicious activities via remote access protocols have been flooding the market – there have been over a million attacks reported daily by various sources since March 2020. It is important now more than ever to understand these attacks and protect your business.

This article explores what RDP attacks are, how they work and why they’re so dangerous.

What is RDP?

Remote Desktop Protocol is a proprietary protocol developed by Microsoft which allows a user to connect to another computer over a network connection. 

Whilst it’s a very useful tool, especially in a home working scenario, the protocol is known for its security issues (in 2018 the FBI issued a special note on these). In May 2019, the cyber security market discovered a critical vulnerability called BlueKeep and within a month cybercriminals used it to launch new attacks. Then, four more vulnerabilities were found. You get the picture…

Microsoft's proprietary RDP protocol is one of the most popular – that's why we talk about it specifically. However, any remote access solution is vulnerable to some degree.

The RDP issue unfolding – what happened?

Before the pandemic changed everything, corporate data circulated within internal infrastructures, in somewhat controlled environments. But since March 2020 employees have been forced to open home based access points to corporate environments from unsecured WiFi networks. In the meantime, users also still love simple passwords and aren’t using the two-factor authentication. Cybercriminals immediately took the advantage.

According to Kaspersky Lab, the number of brute force attacks targeting RDP endpoints rose sharply since the onset of the COVID-19 pandemic. ESET reports more than 100k new RDP attacks per day.

RDP attack mechanics

An RDP attack is a brute force attack aiming to guess a username and password or an encryption key to access RDP. Attackers use bots to generate symbols until reaching the correct combination. They can also use dictionary lists with the most popular combinations or databases of leaked passwords.

201013 Brute force attack example

The goal is getting full remote access to the desired computer or server to then penetrate a corporate network via the hacked device. An attacker infiltrates into a dialogue between two systems at the moment of setting up an RDP session and, having decrypted the package, gains access without notifications to client or server.

Next, the cybercriminal disables or removes security tools and launches either a DDoS attack or runs a ransomware software to encrypt the corporate databases with critical business information. Or they can steal personal data for credential stuffing and phishing purposes, use the vulnerable RDP to install programs for cryptocurrency mining, adware, spyware or other purposes.

201013 Ransomware attack example

Some scripts can leverage user rights in an RDP connections chain – it is called the RDPInception method. If the attacked machine can reach other servers in the network and create local disks there, the script self-copies to the targeted Startup directories. All scripts located in the Startup directory are automatically run when entering a corporate system. This way the attack affects multiple machines at once.  

Why are RDP attacks so dangerous?

Puts your business at risk

One poorly secured RDP connection can open the gates to an entire corporate system, leaving the whole company and its data exposed. An example of this is a recent story of Garmin, a GPS vendor, who was forced to pay $10M to extortionists because its security specialists failed to solve the problem.

Attacks are getting more sophisticated, yet easier to execute

The criminals manage complex penetration schemes and apply a combination of methods at once. In the meantime, personal data and hacking tools are becoming more available. Just recently, Dharma's source code – a ransomware SaaS that targets RDP, was released to be sold online. The number of password databases and brute force dictionaries is increasing, plus there are now lists of servers with an open RDP port. At Variti, we have witnessed a surge of sophisticated bots that constantly scan all available access points and try to crack passwords.

Businesses aren’t protected

As COVID-19 ascended, companies had to react fast and adapt to home working. The short deadlines and crisis budget cuts took priority over security measures, leaving many set ups vulnerable till this day. 

To make matters worse, these unprotected businesses would not be aware that such an attack is underway, so would not think to ‘put the fire out’ either. Companies may notice decreased performance and longer than usual server responses, but often treat them with memory optimisations and other irrelevant methods.

How to understand that you are under an RDP attack?

  1. The overall system performance decreases, the response time becomes longer. What’s tricky here is that sometimes there are no spikes or dips in traffic, or anomalies in CPU load.

  2. Servers cannot connect remote services and users cannot access their desktops.

  3. Multiple messages about attempts to crack usernames and passwords will appear in the event logs. Unfortunately, the correct display of such events is not always guaranteed as tracking these events puts a heavy load on servers. However the event log can be configured to prioritise things the way needed.

Protection against RDP attacks

There are multiple ways to protect your company against RDP attacks, but here are the top three reliable ones:

A strong password system having a policy that enforces secure passwords and mandatory two-factor authentication.

Monitor all requests additional monitoring systems like Variti’s technology can be added to the standard event logging to get a complete picture of traffic. 

Network Level Authentication (NLA) NLA provides a stronger protection against key spoofing by requiring authentication before and during a session.

To learn more about these top protection techniques and the many other options available, read our article How to mitigate RDP attacks.

If you would like to find out more about Variti and our technology, drop us a line via variti.com 

Recent Articles

Layer 7 bot attacks and mitigation techniques

Of all the cyber threats we see on a daily basis, 50% fall into Layer 7 attacks. It is...

How to mitigate RDP attacks?

Since the start of the COVID-19 pandemic, the number of brute force attacks targeting RDP...

Protecting Tochka bank from DDoS attacks

Protecting Tochka bank  the world’s first online-only bank for businesses by efficiently...