Kaspersky: RDP brute-force attacks have gone up since start of COVID-19
Cyber-security firm Kaspersky says the number of brute-force attacks targeting RDP endpoints rose sharply since the onset of the coronavirus (COVID-19) pandemic.
According to a report published today, RDP brute-force attacks increased last month, when most countries around the globe imposed quarantines and stay-at-home orders, forcing companies to deploy more RDP systems online, increasing the attack surface for hackers.
"Since the beginning of March, the number of Bruteforce.Generic.RDP attacks has rocketed across almost the entire planet," the Russian antivirus vendor said today.
RDP stands for Remote Desktop Protocol and is a proprietary Microsoft technology that lets users log into remote workstations across the internet.
RDP endpoints are secured via a username and password, and, as such, are vulnerable to brute-force attacks -- repeated login attempts during which hackers try different username and password combinations, hoping to guess the login credentials.
RDP brute-force attacks are always going on, representing a good chunk of all the bad traffic recorded every day on the internet.
Brute-force attempts against RDP spiked as a large part of the world's population is working from home, and are using RDP as a way to log into work computers and servers from home.
Earlier this month, internet indexing service Shodan reported a 41% increase in the number of RDP endpoints available on the internet, as the COVID-19 pandemic was starting to spread.
With an increase in the number of RDP endpoints available online, interest from cyber-criminals followed, Kasperky said today.
Once attackers compromise an RDP endpoint, cybercrime groups will usually put the RDP credentials on sale on so-called "RDP shops."
Other gangs buy these credentials, access a company's network, and then steal proprietary data, perform reconnaissance before attempting a wire fraud (BEC) attack, or install ransomware to encrypt files and demand a ransom payment.
According to a Coveware report published today, hacked RDP endpoints has long been the favorite method of intrusion employed by today's ransomware gangs over the past months, and is most likely to remain so going forward.
Kaspersky experts advice companies and system administrators to apply a series of security protections to safeguard RDP endpoints against attacks, or disable the service, if they don't use. These include:
- At the very least, use strong passwords.
- Make RDP available only through a corporate VPN.
- Use Network Level Authentication (NLA).
- If possible, enable two-factor authentication.
- If you don't use RDP, disable it and close port 3389.
- Use a reliable security solution.