sb-au logo
Story image

Sophos highlights dangers of remote desktop protocol attacks

24 Jul 2019

New research from security firm Sophos suggests that remote desktop protocol (RDP) is the attack tool of choice for cybercriminals that are looking for an easy path to exploiting vulnerable devices.

RDP Exposed: The Threat That’s Already at your Door looks at how attackers are able to find devices with RDP enabled as soon as they are connected to the internet. 

In order to understand how criminals were using RDP, Sophos researchers set up 10 ‘geographically dispersed’ locations on the internet.

The honeypots were Amazon EC2 instances running Windows Server 2019 with an unmodified, out-of-the-box configuration that enables RDP by default. 

Sophos says that each EC2 instance was deployed in a different regional data centre and failed log-in attempts were captured in a centralised database over a 30-day period between 18 April 2019 and 19 May 2019.

Within the first day of their setup, all 10 honeypots received their first RDP login attempt. Overall, the 10 honeypots logged a combined 4,298,513 failed login attempts over a 30-day period. This accounts for one attempt approximately every six seconds.

“At present there are more than three million devices accessible via RDP worldwide, and it is now a preferred point of entry by cybercriminals,” comments Sophos security specialist Matt Boddy.

“All of the honeypots were discovered within a few hours, just because they were exposed to the internet via RDP. The fundamental takeaway is to reduce the use of RDP wherever possible and ensure best password practice is in effect throughout an organization. Businesses need to act accordingly to put the right security protocol in place to protect against relentless attackers.”

The RDP method of attack just takes 84 seconds to compromise PCs. While many believe that cybercriminals generally use a tool called Shodan to scan for open RDP sources, those criminals also have their own tools.

Sophos detected three main attack patterns, dubbed ‘the ram’, ‘the swarm’, and ‘the hedgehog’.

•       The ram is a strategy designed to uncover an administrator password. One example from the research is that over the course of 10 days, an attacker made 109,934 login attempts at the Irish honeypot using just three usernames to gain access

•       The swarm is a strategy that uses sequential usernames and a finite number of the worst passwords.  One example from the research was seen in Paris with an attacker using the username ABrown nine times over the course of 14 minutes, followed by nine attempts with the username BBrown, then CBrown, followed by DBrown, and so on. The pattern was repeated with A.Mohamed, AAli, ASmith, and others

•       The hedgehog is characterised by bursts of activity followed by longer periods of inactivity. One example in Brazil saw each spike generated by one IP address, last approximately four hours and consist of between 3,369 and 5,199 password guesses.

“Most recently, a remote code execution flaw in RDP - nicknamed BlueKeep (CVE-2019-0708) - has been hitting the headlines. As reported by SophosLabs only a few weeks ago Bluekeep PoC Demonstrates Risk of Remote Desktop Exploit, this is a vulnerability so serious it could be used to trigger a ransomware outbreak that could potentially spread around the world in hours,” says Boddy.

“Securing against RDP threats goes far beyond patching systems against BlueKeep, which is just the tip of the iceberg. In addition to taking care of BlueKeep, IT managers need to pay broader attention to RDP overall because, as our Sophos research shows, cybercriminals are busy probing all potentially vulnerable computers exposed by RDP 24/7 with password guessing attacks.”

Story image
Cyber threat intelligence reaching maturity in organisations worldwide
Cyber threat intelligence is reaching a state of maturity and integration in organisations across the globe, according to a survey by the SANS Institute and ThreatQuotient.More
Download image
Ultimate security: The best authentication just got better
Cloud applications can hold sensitive data, and top-notch authentication is key. But having separate tools for separate applications can be cumbersome - here's how to overcome that.More
Story image
Australians ignoring cybersecurity policies in favour of productivity
Trend Micro has found that 67% of remote workers have increased their cybersecurity awareness during COVID-19 related lockdowns. However, despite greater awareness people may still engage in risky behaviour, the survey finds.More
Story image
ESET uncovers chat app malware spying and stealing user's data
The Welcome Chat espionage app belongs to a known Android malware family and shares infrastructure with a previously documented espionage campaign named BadPatch, which also targeted the Middle East.More
Story image
Bitglass deepens integration with MFA vendor Duo Security
Bitglass has announced a deepened integration with Duo Security, now part of Cisco, as it looks to strengthen security for the modern workforce.More
Story image
Rising to the contact centre security challenge in the era of COVID-19
Cloud based contact centres have enabled Australian organisations to keep on working through the coronavirus pandemic but, in a climate of heightened risk, ensuring the security of your solutions and customer data is a critical imperative.More