The widespread switch to work-from-home arrangements around the globe means employees are working offsite at unprecedented levels. It’s also prompted cybercriminals to find additional targets to exploit. We have heard for months about an increase in the number of phishing emails that seek to take advantage of pandemic fears. Now it’s brute-force attacks that are growing.
Security firm ESET reports an uptick in the number of unique clients who reported brute-force attack attempts in recent weeks. Most of these are attempts to exploit Windows’ remote desktop protocol (RDP), which is used by network administrators to remotely manage Windows systems.
“Despite the increasing importance of RDP (as well as other remote access services), organizations often neglect its settings and protection,” said ESET’s Ondrej Kubovič in a blog post. “Employees use easy-to-guess passwords, and with no additional layers of authentication or protection, there is little that can stop cybercriminals from compromising an organization’s systems.”
RDP has become an extremely popular attack vector in the past few years, especially among ransomware gangs, noted ESET. Criminals brute-force their way into a poorly secured network, elevate their rights to admin level, disable or uninstall security solutions and then run ransomware to encrypt crucial company data.
A recent presentation at RSA revealed that RDP exploits account for 70% to 80% of network breaches.
In its most recent figures, ESET finds that Russia, Germany and Japan have had the highest number of targeted IPs.
“It’s no surprise that threat actors are also stepping up direct, brute-force attacks,” said Saryu Nayyar, CEO of security firm Gurucul. “With users working from home, they don’t have the added layers of protection they receive from the enterprise environment, which makes them easier targets. Additionally, many users choose weak passwords, which makes them relatively easy to compromise using simple brute-force techniques.”
Criminals also use RDP compromise to install coin-mining malware or create a backdoor, which can be used in case their unauthorized RDP access has been identified and closed, according to ESET.
Other common scenarios following an RDP compromise can include:
- Clearing of log files, removing the evidence of previous malicious activity.
- Downloading and running the attacker’s choice of tools and malware on the compromised system.
- Disabling of scheduled backups and shadow copies or completely erasing them.
- Exfiltrating data from the server.
Best Brute-Force Prevention Methods
Password hygiene is an obvious top prevention technique that security leaders should insist on as a first defense against brute-force attacks. Multi-factor authentication (MFA) and other protection measures also should be considered.
“Enforcing password discipline, where users must choose complex passwords with uppercase, lowercase, numeric and special characters, with a minimum length greater than 14 characters, makes a brute-force attack much more complicated,” said Nayyar. “Fifteen characters is a minimum to withstand rainbow table attacks, with longer passwords giving much greater security.”
“Organizations should only use RDP where no better alternative is available, and even then, they should enforce strong passwords, MFA and enhanced monitoring of connections,” added Javvad Malik, security awareness advocate with KnowBe4.
In its blog post, ESET stressed organizations need to keep their remote access properly configured, and also offered other best practices for remote access, including:
- Disable internet-facing RDP. If that is not possible, minimize the number of users allowed to connect directly to the organization’s servers over the internet.
- Require strong and complex passwords for all accounts that can be logged into via RDP.
- Use an additional layer of authentication such as MFA or 2FA.
- Install a virtual private network (VPN) gateway to broker all RDP connections from outside your local network.
- At the perimeter firewall, disallow external connections to local machines on port 3389 (TCP/UDP) or any other RDP port.
- Protect your endpoint security software from tampering or uninstallation by password-protecting its settings.
- Isolate any insecure or outdated computers that need to be accessed from the internet using RDP and replace them as soon as possible.