How dangerous and frequent is an attack on RDP-enabled computers?

How long does it take for an attack on RDP-enabled computers? In some cases, a few minutes. In most, less than 24 hours.

The problem with RDP (Remote Desktop Protocol)

"In recent years, criminals have been targeted ransomware such as BitPaymer, Ryuk, Matrix and SamSam almost completely abandoned others hacking methods in favor of using RDP, ”say Sophos researchers Matt Boddy, Ben Jones and Mark Stockley.

The hackers have the choice to break passwords using tools like NLBrute or buy broken passwords by others or accounts on broken RDP servers.

In order to get an idea of ​​how many attacks the RDP servers face daily, 10 geographically dispersed versions of Amazon EC2 Windows Server 2019, with RDP enabled and are insured with a “prohibitively strong password ”.

One of them accepted a RDP brute-forcing attack for one minute and 24 seconds. In total, during the month, 4.298.513 recorded failed login attempts.

Some attackers tried to attack on administrator accounts while others were in low-bills, in the hope that passwords would be easier to uncover. In an effort to keep their activities low profile, they slowly escalated their attacks by limiting or strengthening the case accordingly.

Another interesting thing that this research showed: attackers do not rely on Shodan - the search engine that lists devices connected to the Internet - to identify potential targets.

Reduce DP password brute-forcing risk

RDP-based Remote Desktop Services is a useful technology that allows business managers to reach out to and interact with computers on remote networks or on in cloud.

Two months ago, the Microsoft warned about it CVE-2019-0708 (also known as BlueKeep), a wormable unauthorized remote code execution flaw in RDS, which was expected to be widely exploited.

Although cyber experts believe that hacking teams funded by the state already use BlueKeep for quiet invasions, we still do not have some mass exploitation.

However, inadequately secure RDP servers represent an easy target for hungry cybercriminals, who often use them to spread malware (usually ransomware) throughout the target network.

Although the solution for RDP password brute-forcing is as easy as choosing a powerful and long Password, researchers are skeptical about this.

• Microsoft could set two-factor authentication as a mandatory measure or switch to another form of authentication (eg public key authentication).
• Cloud computing vendors could offer servers with an alternative form of remote management or authentication.
• But until this happens, managers can mitigate the risk by allowing multi-factor authentication.
• Finally, if the RDP is not necessary, it must be disabled. When needed, you only have access via a virtual private network (VPN).