With record numbers of employees working from home, the amount of remote desktop protocol ports exposed over the internet has increased.
Many employees benefit from using remote desktop protocol (RDP), such as system administrators who need to manage servers for websites or databases and employees who need access to shared resources for their everyday work. RDP allows access to servers, endpoints and resources residing in centralized locations or across remote networks.
When setting up firewalls to enable remote desktop protocol, network administrators have the option of either restricting RDP to the company network or allowing access over the internet. Exposing RDP ports to the outside world, however, brings a danger – hackers can discover and target them in an attack.
Using a tool like Shodan to search, hackers can currently find roughly 3.5 million RDP ports that are exposed to the internet:
The chart shows results only for port 3389, the default port number for RDP. Many companies use non-default port numbers for RDP – a kind of security by obfuscation. However, this represents no barrier to hackers, as it is trivial to scan and find other ports that show RDP activity.
Not surprisingly, Shodan reveals a recent rise in the number of devices with RDP exposed to the internet, which corresponds to the global shift to remote work witnessed in the most recent months.
For IT admins, it is paramount to ensure that RDP access over the internet is properly secured and that employees adhere to best password security practices. To that end, a brief look at some common attacks on RDP logins, along with security practices to counteract them, can help.
Brute force attacks
In a brute force attack, an attacker attempts to log in with random passwords, sometimes even making millions of attempts. This is normally automated via a software tool. If successful, this attack often prepares the path for the entry of ransomware, such as GandCrab and Sodinokibi, or other malware.
Recently, the writers of the TrickBot trojan added a new RDP brute force module. With the new upgrade, TrickBot has already attacked over 6,000 RDP servers. Using a strong password can make such brute force attacks computationally infeasible to accomplish.
To ensure that employees are using strong passwords, IT admins can use tools to compare hashes of employees’ passwords to a dictionary of hashes computed from weak passwords.
Credential stuffing attacks
A credential stuffing attack is similar to a brute force attack except that it attempts to use leaked credentials to log in. Leaked credentials can be found in the public domain, on hacking forums and in dark web marketplaces.
Hackers can automate these attacks by using credential stuffing software, such as SNIPR, Sentry MBA, STORM, Black Bullet, Private Keeper and WOXY. In order to evade firewalls and other protective technologies, attackers leverage batches of proxies (botnets) so that the repeated login attempts come from different IP addresses.
The success of credential stuffing relies on the fact that many users reuse their passwords. By always using a unique password, these kinds of attacks are easily frustrated.
Password spraying attacks
Password spraying is another variation of brute force in which an attacker strategically selects passwords to try against many user accounts. The idea is to avoid lockout policies from failed login attempts by pacing out the attack over a period of time and targeting a larger base of employee accounts.
Hackers can scrape employee usernames from the public domain with tools like Prowl, Raven and LinkedInt. These tools take company email domain names and scrape employee lists from LinkedIn.
With a list of usernames in hand, a hacker can then launch an automated password spraying attack.
Should hackers compromise even one standard user account, they can use that account to reveal the password and lockout policy of its Active Directory domain and fine-tune future password spray attacks against other users in the same domain.
ESET’s current detection for brute-force attacks – called “Botnet.CnC.Generic” – can block RDP, SQL and Server Message Block (SMB) attacks.
To better defend against password attacks, IT administrators should adhere to the following recommendations:
Managing networks more securely
Small or medium-sized business accustomed to using RDP to manage their remote employees may find that after a fresh install of endpoint security software, RDP connections are no longer working. This is the case, for example, when installing ESET Endpoint Security. For best security configuration, ESET products prohibit RDP access from the internet (via ESET Firewall) by default.
Ultimately, turning RDP off is the most secure option for any company due to its many security weaknesses. There are a variety of remote monitoring and management (RMM) tools that usually better meet business needs compared to RDP. However, it is important to be conscious of the security risks when selecting an RMM tool – vulnerabilities can affect them just as much as RDP.
If you need to let RDP through the ESET Firewall, you can follow these steps:
IT admins should also utilize the following security configurations available in Group Policy: