RDP attacks on the rise and ways to prevent it

RDP attacks are on the rise in Middle East countries like UAE, Saudi Arabia, Bahrain, Kuwait & Oman.

Attackers using open RDP ports to take over machines or intercepting RDP sessions to inject malware by using brute-force techniques to gain usernames and passwords.

Microsoft’s Remote Desktop Protocol (RDP) is used for remotely connecting to Windows systems. In  RDP attacks, criminals look for unsecured RDP services to exploit and access corporate networks. RDP attacks are on the rise because many organizations fail to secure RDP services against improper access. Recently RDP has become the top attack vector for major attacks including Ransomware.

How RDP attacks works

RDP, Microsoft’s proprietary protocol for network connectivity, can be used for remote administrator access to Windows machines via a password-based authentication mechanism.
  • In any network, brute force RDP attacks would scan the IP ranges and TCP port ranges the default being 3389 for RDP servers, which could be either client or the server systems.
  • Once an attacker finds an RDP server, he would attempt to log on, particularly as an Administrator.
  • Since there is no default restriction on the number of failed attempts, an attacker can try hitting the EDP connections with a large number of password combinations, until they are able to penetrate into the remote machine.

In RDP attacks attackers use brute force methods to crack the passwords and thus gain full access to the system for stealing sensitive data, dropping malware, data poisoning, and other malicious activities.  There are a few things you can do to make it a lot harder to gain access to your network over unauthorized RDP connections:

  • Block multiple failed login attempts coming from the same IP address or the same account. To do that, we recommend you combine the account lockout threshold policy with the account lockout duration. One will determine the number of failed sign-in attempts that will cause a user account to be locked, and the other will establish “the number of minutes that a locked-out account remains locked out before automatically becoming unlocked”. You can use third-party tools for the same.
  • Change your default RDP (Remote Desktop Protocol) port. This is a very easy procedure that will save you a lot of trouble in the future. Windows uses the default RDP port 3389. If you have this port open to the Internet, you are VERY vulnerable to port scanning, which a multitude of hacking tools can do. Once they determine that your default RDP port is open, attackers WILL run scripts to brute force their way in. The solution here is to change your default RDP port to something unused and not common knowledge. You can use this full guide provided by Microsoft to get it done. (Alternatively, you can use a Remote Desktop Gateway Server, which also gives you some additional security and operational benefits like 2FA, for example. The logs of the RDP sessions can prove especially useful when you are trying to figure out what might have happened. As these logs are not on the compromised machine, they are harder to falsify by intruders.)
  • Strong username and password: The simplest and most effective thing you can do to avoid becoming a victim of an RDP brute force attack is to change your login details. Changing your account name to something more cryptic than the default ‘Administrator’ makes it twice as difficult for cybercriminals, as they have to guess your username as well as your password. You’ll need to disable the existing administrator account before setting up a new one (find out how to do that here). In addition, you’ll also want to ensure your password is up to scratch. Your password should be long, unique, complex, and contain numbers, symbols, and upper- and lower-case letters.
  • Do not disable Network Level Authentication (NLA), as it offers an extra authentication level. Enable it, if it wasn’t already.
  • Apply system and software updates regularly.
  • Maintain a good backup strategy against RDP attacks.
  • Enable logging and ensure logging mechanisms capture RDP logins.
  • Minimize network exposure for all control system devices. Wherever possible, critical devices should not have RDP enabled.

Recent reports from several vendors suggest that RDP attacks, the brute-force attacks targeting Remote Desktop Protocol (RDP) endpoints have been on a rise in the past few months.