The world’s workforce is becoming increasingly decentralized. The rise of remote working, outsourcing and cloud-based technologies continues to blur geographical boundaries while enabling small and medium-sized enterprises to tap into a deep and diverse talent pool.
To maintain the networks that support this type of working arrangement, many small and medium-sized enterprises (SMEs) rely on off-site tech support teams using remote desktop protocol (RDP) to diagnose and repair network problems. RDP allows for secure network communications between a terminal server and a terminal server client. It is commonly used by network administrators to remotely access virtual desktops and applications.
Using RDP does carry a certain level of risk, particularly because unguarded remote desktops are quickly becoming the favored point of entry amongst hackers. Sadly, many companies are leaving themselves exposed by not following a few simple security measures.
In this article, we’ll show you exactly how RDP attacks work and what you can do to protect your company from succumbing to this type of cyberattack. Read on to avoid becoming one of the next ransomware victims.
What is an RDP brute force attack?
Imagine a burglar who has a key ring with a few hundred thousand keys on it. The criminal uses the keys one after the other in an attempt to unlock your front door. The better your lock, the longer it will take them to get inside. However, sooner or later, they’ll probably find the right key and once they’re inside they can do what they want – disable your alarm, steal your jewelry, vandalize your home or change the locks and demand you pay a ransom to get back inside. This is the basic premise of an RDP attack.
In an RDP brute force attack, hackers use network scanners such as Masscan (which can scan the entire Internet in less than six minutes) to identify IP and TCP port ranges that are used by RDP servers. After tracking one down, the criminals try to gain access to the machine (typically as an administrator) by using brute force tools that automatically attempt to login over and over again using a countless # of username and password combinations. During this time, server performance may take a hit as the attacks consume system resources.
After hours, days or even weeks of systematic trial and error, the hackers may eventually guess the username and password and be granted server access – and once they’re in, the damage potential is nothing short of catastrophic.
Why would hackers want to launch an RDP attack?
Once an attacker has access via RDP, they can do pretty much anything within the hacked account’s privilege limits. Criminals who have gained administrator access can do more or less anything they want, including disable antivirus software, install malware, steal company data, encrypt files and much more. As you might imagine, this level of disruption can have an enormous impact on a company’s reputation, finances and day-to-day operations. While some cyber criminals simply want to create chaos, many launch RDP attacks with set goals in mind, such as:
The most lucrative form of malware is most commonly spread through RDP attacks. In fact, some reports estimate that as many as two thirds of all ransomware infections in Q1 2017 were delivered through RDP. After breaking in, it’s a simple matter for hackers to encrypt system files and demand exorbitant ransoms from their victims. In September 2016, hackers used remote desktop attacks to infect businesses across Australasia with the Crysis ransomware.
If the criminals want to take a more subtle approach, they may use an RDP attack to surreptitiously install a keylogger. A keylogger is a tiny piece of malware that sits in the background and tracks every key you press without your knowledge. This can be used to collect private data such as credit card information, passwords, sensitive company information and more.
Some RDP attacks have no clear purpose beyond mindless destruction. The cybercriminal may simply be bored or in search of notoriety and infiltrate your company’s systems as a challenge. In this scenario, the hackers might take personal files, delete data or use your company’s server to distribute malware to your clients.
Toward the end of 2016, hackers used RDP attacks to break into systems and activate undetected malware known as Trojan.sysscan. The trojan searched the infected machine for cookies related to banking, gambling, tax websites and Point of Sale software and extracted usernames and passwords, providing the criminals with stolen identities and large amounts of money.
Regardless of the criminal’s reasoning, there’s no denying that an RDP attack can have major consequences for businesses of any size.
How can you protect your business against RDP brute force attacks?
The key to combating RDP attacks lies in being proactive. As noted, once a hacker has gained entry to your company’s system, there’s no limit to the havoc they can create. With this in mind, you need to primarily focus on preventing initial access by minimising remote desktop security risks. This can be achieved in a number of ways:
1. Strong username and password
The simplest and most effective thing you can do to avoid becoming a victim of an RDP brute force attack is to change your login details. Changing your account name to something more cryptic than the default ‘Administrator’ makes it twice as difficult for cybercriminals, as they have to guess your username as well as your password. You’ll need to disable the existing administrator account before setting up a new one (find out how to do that here).
In addition, you’ll also want to ensure your password is up to scratch. Your password should be long, unique, complex and contain numbers, symbols and upper- and lower-case letters.
2. Set remote access restrictions
To further reduce the risk of an attack, set a limit on the number of people who can log in using RDP. While everyone who has ‘Administrator’ level access can login to Remote Desktop by default, chances are there are very few users on your network who actually need these privileges to do their job. Restricting RDP access to only those who genuinely require it minimizes the risk of a security hole.
3. Account lockout policy
As noted, brute force RDP attacks require hundreds, thousands or even millions of login attempts. You can slow the attacks by setting up a simple policy that locks users out after a certain number of attempts for a specified amount of time.
Here’s how to set up an account lockout policy on Windows 10 Enterprise/Pro/Education:
- Open the Start Menu
- Type Administrative Tools and open the program listed under ‘Best Match’
- In the window that opens, double-click on Local Security Policy to open
- On the left-hand side, Browse to Account Policies > Account Lockout Policy
- Double click the policy you wish to edit
- Set a new value
- Click OK
Three minute lockouts for three invalid attempts is a good place to start if you’re not sure of an acceptable attempt threshold.
4. Use an RDP gateway
An RDP gateway provides greater network control by removing remote user access to all internal network resources and replacing it with a point-to-point RDP connection. This allows you to determine who can connect, what resources they can access, which type of authentication clients are required to use, and more.
5. Change the RDP Port
When scanning the Internet, hackers often look for connections that use the default RDP port (TCP 3389). In theory this means you can essentially ‘hide’ your RDP connection by changing the listening port to something else.
To do so, use the Windows Registry Editor to change the following registry subkey:
WARNING: Editing the registry can result in serious issues. Always make a backup of your registry before making edits and do not attempt to make an edit if you are uncertain in any way.
It’s worth noting that security by obscurity is not a particularly reliable or effective method of protection. In addition, many modern scanners automatically check ALL ports for RDP connections, not just TCP 3389. Nevertheless, some users may still find this approach useful in preventing RDP attacks.