Microsoft's last Windows 10 C update for a while comes packed full of bug fixes.RDP brute-force attacks are skyrocketing due to remote working

Attackers are increasingly targeting corporate resources used by employees who have now moved to work from home due to lockdown and shelter in place orders issued during the ongoing pandemic.

A highly popular solution to access enterprise devices remotely is the Remote Desktop Protocol (RDP) which enables remote workers to access their work Windows workstations or servers from home.

However, many of the RDP servers used to help teleworkers are directly exposed to the Internet, and, when poorly configured, they expose the organization's network to attacks.

Huge growth in the number of brute-force attacks
As detailed in a report published today by security researchers at Kaspersky, almost all countries have seen tremendous growth in the number of brute-force attacks launched by threat actors against exposed RDP services since the beginning of March 2020.

In this type of attack, automated tools are used to enter combinations of usernames and passwords from lists of previously compromised credentials, randomly generated on the spot, or from dictionaries credentials.

Once the attackers successfully guess the right combination, they get full access to the targeted machine and, usually, use this access to steal sensitive information, to drop malware, or move laterally within the organization's network to find more valuable targets.

Growth in the number of RDP bruteforce attacks
Growth in the number of RDP brute-force attacks (Kaspersky)

"Brute-force attackers are not surgical in their approach but operate by area," the researchers said.

"As far as we can tell, following the mass transition to home working, they logically concluded that the number of poorly configured RDP servers would increase, hence the rise in the number of attacks."

In the U.S. for example, the number of brute-force attacks against Internet-facing RDP servers has increased from 200,000 per day in early-March to over 1,200,000 during mid-April.

According to stats from BinaryEdge and Shodan, currently, over 4,500,000 devices are exposing RDP to the Internet.

Exposed RDP servers (BinaryEdge and Shodan stats)
Exposed RDP servers (BinaryEdge and Shodan stats)

However, despite the increasing number of brute-force attacks against Internet-facing RDP services and the huge number of new remote workers, Censys said at the beginning of April that "there hasn't been an uptick of Internet-exposed RDP servers beyond the normal ebb and flow or normal Internet traffic."

This trend can easily be explained by opportunistic attempts to take advantage of what attackers are seeing as an increased attack vector against companies that have to provide their employees with remote access to corporate IT resources.

RDP server count Q1 2020 (Censys)
RDP server count Q1 2020 (Censys)
Favorite targets of ransomware gangs
Attacks targeting RDP services have been on the rise since mid-late 2016 starting with the rise in popularity of dark web marketplaces selling RDP access to compromised networks and devices per an IC3 report from 2018.

In 2017 for instance, more than 85,000 RDP servers were available for sale or rent via xDedic, a dark web marketplace where hacked servers were being sold for an average price of $6.

Brute-force attacks against servers with open RDP ports are also being used as the initial attack vector in ransomware attacks, with the most recent examples being Dharma and DoppelPaymer ransomware groups' human operators who are brute-forcing they way onto companies' exposed and poorly configured RDP servers to deploy their malicious payloads.

These two ransomware groups will also start scanning for other RDP servers on the same network and will brute-force their way into those too according to a Microsoft report from last month, moving laterally to other systems and turning off security controls wherever they can, after a network reconnaissance stage.

How to secure RDP servers
It is important to mention that using RDP to access your workstations or servers remotely is not something frowned upon if these services are protected against attacks.

To do that, Kaspersky recommends taking the following measures:

• At the very least, use strong passwords.
• Make RDP available only through a corporate VPN.
• Use Network Level Authentication (NLA).
• If possible, enable two-factor authentication.
• If you don’t use RDP, disable it and close port 3389.

You should also enable account lockout policies to block brute-force attacks, as they will temporarily block logins on accounts after a certain number of failed login attempts.

Enabling account audit policies can also help prevent such attacks as they will allow admins to see what accounts are repeatedly showing login errors and, thus, potentially targeted in brute-force attacks.

VNC is also vulnerable
Even if you use the VNC protocol for remote working, you still exposed to attacks, as shown by the dozens of security vulnerabilities found by Kaspersky researchers in Linux and Windows VNC clients in November 2019.

Following that discovery, Kaspersky's ICS CERT research team was able to find over 600,000 VNC servers that can be accessed remotely based on info collected using the Shodan search engine for Internet-connected devices.

"As a safeguard against attacks, clients should not connect to unknown VNC servers and administrators should configure authentication on the server using a unique strong password," Kaspersky security researcher Pavel Cheremushkin said at the moment.