Surge in Brute Force RDP Attacks Globally During COVID-19 Pandemic

Due to the COVID-19 Pandemic, many groups have have to quickly set up remote working capabilities for their staff.

As a result of this there has been increased potential for cybercriminals to initiate campaigns. Remote workers have been attacked on an even greater scale during the COVID-19 lock down, with a special focus being made on application-level protocols used by remote workers to connect to corporate systems.

Remote Desktop Protocol (RDP) is a proprietary communications protocol created by Microsoft to allow employees, IT workers, and others to remotely connect to corporate systems, services, and virtual desktops. The protocol has been implemented by many groups to allow their employees to work from home on personal computing devices.

New data from Kaspersky indicates a major global rise in brute force attacks on RDP as this has proven particularly popular with hackers due to the increase in remote workers accessing systems via RDP.

For employees to connect using RDP they would need to enter a username and password. Brute force attacks on RDP are conducted to guess those passwords, which includes trying different password combinations until the right one is calculated. That can take a long time for complex passwords, but the attacks begin with dictionary words and passwords obtained in earlier data breaches. Annual worst passwords lists show a great deal of people still opt for easy to remember passwords, which can be correctly guessed in these automated RDP attacks in a matter of seconds.

Once these details have been correctly guessed, they can be used to remotely log on to whatever systems an employee is authorized to use. Even if a fairly low-level set of credentials is compromised, it can give cybercriminals the foothold in the network to conduct extensive attacks on the group. These unauthorized logins using stolen credentials can be tricky for IT security teams to identify.

Once access is obtained, hackers can take control of email accounts and send phishing emails internally to other staff members. As has been made clear in the many phishing incidents reported by healthcare suppliers in recent months, a single email account compromise could result in a data breach involving hundreds, thousands, or even hundreds of thousands of patents’ protected health data. Ransomware and other malware can also be downloaded.

The extent of the attacks is worrying. Kaspersky security researcher, Dmitry Galov said: “During the last year, there were some spikes of such attacks in different regions, but they were mainly local and small. Right now, we can see that almost worldwide, the amount of attacks increased significantly. For instance, in February we witnessed 93,102,836 attacks globally. In April, the figure was already 326,896,999.”

The amount of RDP brute force attacks in the United States more than doubled between January 2 and March 3, and almost tripled by April 7, when there were 1.4 million RDP brute force attacks discovered.

Increase in Brute Force RDP Attacks. Source: Kaspersky

The brute force RDP attacks are likely to go on being witnessed at high levels for the foreseeable future, and certainly until the amount of remote employees reduces once the COVID-19 crisis is ended.

There are many steps that firms can take to address these attacks. One of the most important steps to take is to create password policies that force users to set strong passwords that are difficult to guess. Two-factor authentication is also crucial. If a password is guessed, a second factor must be given before a connection is permitted. Staff members should also use a corporate VPN to connect remotely along with Network Level Authentication (NLA) measures to prevent unauthorized access attempts. Kaspersky also reminds us that if RDP is not being used by remote employees, port 3389 should be turned off.