ESET Researchers: Attacks Open the Door to Launching Ransomware, Planting Cryptominers
Tracking the increase in brute-force attacks against RDP connections (Source: ESET)
Since the start of the COVID-19 pandemic, the number of brute-force attacks targeting remote desktop protocol connections used with Windows devices has steadily increased, spiking to 100,000 incidents per day in April and May, according to an analysis by security firm ESET.
By waging brute-force attacks against RDP connections, attackers can gain access to an IT network, enabling them to install backdoors, launch ransomware attacks and plant cryptominers, according to ESET’s analysis.
RDP is a proprietary Microsoft communications protocol that allows system administrators and employees to connect to corporate networks from remote computers. With the COVID-19 pandemic forcing employees all over the world to work at home, many organizations have increased their use of RDP but have overlooked security concerns.
“Despite the increasing importance of RDP, organizations often neglect its settings and protection. When employees use easy-to-guess passwords, and with no additional layers of authentication or protection, there is little that can stop cybercriminals from compromising an organization’s systems,” Ondrej Kubovič, a security analyst with ESET, notes in the report. “Cybercriminals typically brute-force their way into a poorly secured network, elevate their rights to admin level, disable or uninstall security solutions and then run ransomware to encrypt crucial company data.”
Brute-force attacks targeting RDP connection by country (Source: ESET)
Other research reports also have concluded that hackers are increasingly targeting remote workers during the COVID-19 crisis (see: Top Ransomware Attack Vectors: RDP, Drive-By, Phishing).
Brute-force methods have increased because reuse of passwords is so common and large batches of credentials can be bought on underground forums for as little as $20, security researchers say.
An April report by security firm Kaspersky found that in the U.S., the number of brute-force attacks targeting RDP soared earlier this year (see: RDP Brute-Force Attacks Rise During COVID-19 Crisis: Report).
RDP Attack Statistics
While the number of brute-force attacks targeting RDP stood at about 30,000 incidents daily in December 2019, that number increased to 100,000 per day in April and May, the ESET report notes. Analysts found that most of the attacks from January to May were detected in the U.S., China, Russia, Germany and France.
In addition to installing malware and backdoors, the ESET researchers note that the attackers are exploiting RDP for other purposes, including:
- Clearing log files to remove any evidence of previous malicious activity;
- Downloading and running the attackers’ choice of tools and malware on compromised systems;
- Disabling scheduled backups as well as shadow copies – or erasing them;
- Exfiltrating data from servers.
The ESET report also warns that by leaving RDP connections exposed, organizations are vulnerable to financial loss, stalled operations and expensive recovery efforts. Plus, they could face penalties for privacy violations under such regulations as General Data Protection Regulation in the European Union, the California Consumer Privacy Act and the Notifiable Data Breaches law in Australia, the report notes.
Mitigating RDP Attacks
The ESET researchers recommend a number of steps that organizations can use to mitigate potential brute-force attacks that expose vulnerable RDP connections. These include:
- Disable internet-facing RDP connections or minimize the number of users allowed to connect directly to the organization’s servers over the internet;
- Implement strong and complex passwords for all accounts that can be logged into through RDP;
- Add multifactor authentication;
- Install a VPN gateway to broker all RDP connections from outside the local network;
- At the perimeter firewall, disallow external connections to local machines on port 3389 (TCP/UDP) or any other RDP port;
- Isolate insecure or outdated computers that need to be accessed from the internet using RDP and replace them as soon as possible.