The Remote Desktop Protocol (RDP), popular with many admins, poses a huge security risk to businesses. Security vendor Sophos has released its nearly four-month study, “RDP Exposed: The Threat That’s Already at your Door” and published the long-term results. It shows how cybercriminals are relentlessly trying to attack businesses via RDP.
RDP is a huge security risk for enterprises
RDP continues to be a valid cause of sleepless nights for system administrators. Over the past year, cybercriminals – in addition to the two major ransomware attacks, Matrix and SamSam – have focused almost entirely on network access using RDP, largely abandoning other methods.
Matt Boddy, security specialist at Sophos and leader of the study explains, “Recently, a remote code execution flaw in RDP – called BlueKeep (CVE-2019-0708) – has made headlines. This is such a serious vulnerability that it can be used to trigger a ransomware wave that could spread globally within hours.
Securing against RDP threats goes far beyond patching systems against BlueKeep, as this is just the tip of the iceberg. IT managers also need to pay much more attention to RDP. Because as our study shows, cybercriminals are attacking all potentially vulnerable computers with RDP by trying to figure out the passwords.
Sophos’ new RDP study, “RDP Exposed – The Threat That’s Already at Your Door,” shows how attackers can find RDP-enabled devices shortly after they appear on the Internet. As a demonstration, Sophos deployed ten geographically distributed honeypots to measure and quantify RDP-based risks.
All ten honeypots received their first RDP login attempt within one day. The ten RDP honeypots logged a total of 4,298,513 failed login attempts over a 30-day period. This equates to one attack attempt every six seconds. Generally, cybercriminals are thought to use websites like Shodan to search for open RDP sources. However, Sophos’ study shows that cybercriminals have their own tools and techniques to find open RDP sources and do not necessarily rely solely on third-party websites.
Hacking behavior uncovered
Sophos identified different attack patterns based on the study. These include three main profiles, the ram, the swarm, and the hedgehog:
The ram is a strategy aimed at hacking an administrator’s password. One example from the study is that over the course of ten days, an attacker made 109,934 login attempts to the Irish honeypot using only three usernames to gain access.
Swarming is a strategy that uses sequential usernames and a finite number of the worst passwords. An example from the study: an attacker was registered in Paris using the username ABrown nine times in 14 minutes, followed by nine more attempts with the username BBrown, then with CBrown, followed by DBrown, and so on. The pattern was repeated with A.Mohamed, AAli, ASmith, and others.
The hedgehog is characterized by high activity followed by longer periods of inactivity. An example in Brazil shows that each spike generated by an IP address lasts about four hours and consists of 3,369 to 5,199 password guesses.
Boddy explains what the scope of this RDP threat means for businesses, “There are currently more than three million devices worldwide that are accessible via RDP, and it is now a favorite entry point for cybercriminals. Sophos has reported on how criminals, targeted ransomware such as BitPaymer, Ryuk, Matrix and SamSam, and almost completely abandoned other methods to penetrate a company.
All the honeypots were discovered within a few hours, just because they were visible on the Internet via RDP. The basic solution is to reduce the use of RDP as much as possible and make sure that excellent passwords are applied in the company. Companies need to act and use the appropriate security to protect against the relentless attackers.”