Story image

Sophos highlights dangers of remote desktop protocol attacks

24 Jul 2019

New research from security firm Sophos suggests that remote desktop protocol (RDP) is the attack tool of choice for cybercriminals that are looking for an easy path to exploiting vulnerable devices.

RDP Exposed: The Threat That’s Already at your Door looks at how attackers are able to find devices with RDP enabled as soon as they are connected to the internet. 

In order to understand how criminals were using RDP, Sophos researchers set up 10 ‘geographically dispersed’ locations on the internet.

The honeypots were Amazon EC2 instances running Windows Server 2019 with an unmodified, out-of-the-box configuration that enables RDP by default. 

Sophos says that each EC2 instance was deployed in a different regional data centre and failed log-in attempts were captured in a centralised database over a 30-day period between 18 April 2019 and 19 May 2019.

Within the first day of their setup, all 10 honeypots received their first RDP login attempt. Overall, the 10 honeypots logged a combined 4,298,513 failed login attempts over a 30-day period. This accounts for one attempt approximately every six seconds.

“At present there are more than three million devices accessible via RDP worldwide, and it is now a preferred point of entry by cybercriminals,” comments Sophos security specialist Matt Boddy.

“All of the honeypots were discovered within a few hours, just because they were exposed to the internet via RDP. The fundamental takeaway is to reduce the use of RDP wherever possible and ensure best password practice is in effect throughout an organization. Businesses need to act accordingly to put the right security protocol in place to protect against relentless attackers.”

The RDP method of attack just takes 84 seconds to compromise PCs. While many believe that cybercriminals generally use a tool called Shodan to scan for open RDP sources, those criminals also have their own tools.

Sophos detected three main attack patterns, dubbed ‘the ram’, ‘the swarm’, and ‘the hedgehog’.

•       The ram is a strategy designed to uncover an administrator password. One example from the research is that over the course of 10 days, an attacker made 109,934 login attempts at the Irish honeypot using just three usernames to gain access

•       The swarm is a strategy that uses sequential usernames and a finite number of the worst passwords.  One example from the research was seen in Paris with an attacker using the username ABrown nine times over the course of 14 minutes, followed by nine attempts with the username BBrown, then CBrown, followed by DBrown, and so on. The pattern was repeated with A.Mohamed, AAli, ASmith, and others

•       The hedgehog is characterised by bursts of activity followed by longer periods of inactivity. One example in Brazil saw each spike generated by one IP address, last approximately four hours and consist of between 3,369 and 5,199 password guesses.

“Most recently, a remote code execution flaw in RDP - nicknamed BlueKeep (CVE-2019-0708) - has been hitting the headlines. As reported by SophosLabs only a few weeks ago Bluekeep PoC Demonstrates Risk of Remote Desktop Exploit, this is a vulnerability so serious it could be used to trigger a ransomware outbreak that could potentially spread around the world in hours,” says Boddy.

“Securing against RDP threats goes far beyond patching systems against BlueKeep, which is just the tip of the iceberg. In addition to taking care of BlueKeep, IT managers need to pay broader attention to RDP overall because, as our Sophos research shows, cybercriminals are busy probing all potentially vulnerable computers exposed by RDP 24/7 with password guessing attacks.”