The massive shift to remote work has presented attackers with plenty of new options, but sometimes the oldies are still the goodies, something that’s borne out by the scans for exposed RDP servers that have been spiking in the last few weeks.
Remote desktop protocol (RDP) is Microsoft’s own protocol for remote administration of machines and it’s used widely in enterprises in a number of different situations. Servers exposing RDP to the public Internet are easy prey for attackers and are often targeted because they can be a simple entry point into an enterprise network. The number of RDP servers exposed online has been increasing in the last few weeks, and with that has come an attendant spike in attention from attackers. In late March, research from Shodan, the IoT search engine, showed that the number of machines exposing RDP publicly was increasing steadily, and was approaching about 3.5 million. Data from Censys now shows nearly four million machines exposing RDP on the default port.
That’s a large target base for attackers, and it has not gone unnoticed. On April 15, there were nearly 1.5 million brute-force scans for RDP in the United States alone, according to numbers compiled by security firm Kaspersky. That’s a huge jump from the roughly 700,000 such scans in the U.S. on April 5. There have been similar increases in other countries, including China, Russia, and Italy. These scans are simple checks to see what username and password combinations will work on a given server. They’re not high level activity, but they can be effective, especially for newly configured machines that might have default credentials still set up.
“Brute-force attackers are not surgical in their approach, but operate by area. As far as we can tell, following the mass transition to home working, they logically concluded that the number of poorly configured RDP servers would increase, hence the rise in the number of attacks,” Dmitry Galov of Kaspersky said in a post on the data.
“Companies need to closely monitor programs in use and update them on all corporate devices in a timely manner. This is no easy task for many companies at present, because the hasty transition to remote working has forced many to allow employees to work with or connect to company resources from their home computers, which often fall short of corporate cybersecurity standards.”
Microsoft researchers have been monitoring the way that attackers have shifted more attention to RDP, as well, and is recommending that administrators take extra precautions with RDP in the current environment.
“Although Remote Desktop Services (RDS) can be a fast way to enable remote access for employees, there are a number of security challenges that need to be considered before using this as a remote access strategy. One of these challenges is that attackers continue to target the RDP and service, putting corporate networks, systems, and data at risk (e.g., cybercriminals could exploit the protocol to establish a foothold on the network, install ransomware on systems, or take other malicious actions). In addition, there are challenges with being able to configure security for RDP sufficiently, to restrict a cybercriminal from moving laterally and compromising data,” James Ringold, enterprise security advisor at Microsoft, said.