What are RDP attacks and how to spot them?
Diana Kamkina • October 13, 2020
Malicious activities via remote access protocols have been flooding the market – there have been over a million attacks reported daily by various sources since March 2020. It is important now more than ever to understand these attacks and protect your business.

This article explores what RDP attacks are, how they work and why they’re so dangerous.
What is RDP?

Remote Desktop Protocol is a proprietary protocol developed by Microsoft which allows a user to connect to another computer over a network connection.

Whilst it’s a very useful tool, especially in a home working scenario, the protocol is known for its security issues (in 2018 the FBI issued a special note on these). In May 2019, the cyber security market discovered a critical vulnerability called BlueKeep and within a month cybercriminals used it to launch new attacks. Then, four more vulnerabilities were found. You get the picture…

Microsoft's proprietary RDP protocol is one of the most popular – that's why we talk about it specifically. However, any remote access solution is vulnerable to some degree.
The RDP issue unfolding – what happened?

Before the pandemic changed everything, corporate data circulated within internal infrastructures, in somewhat controlled environments. But since March 2020 employees have been forced to open home based access points to corporate environments from unsecured WiFi networks. In the meantime, users also still love simple passwords and aren’t using the two-factor authentication. Cybercriminals immediately took the advantage.

According to Kaspersky Lab, the number of brute force attacks targeting RDP endpoints rose sharply since the onset of the COVID-19 pandemic. ESET reports more than 100k new RDP attacks per day.
RDP attack mechanics

An RDP attack is a brute force attack aiming to guess a username and password or an encryption key to access RDP. Attackers use bots to generate symbols until reaching the correct combination. They can also use dictionary lists with the most popular combinations or databases of leaked passwords.

Brute force attack example

The goal is getting full remote access to the desired computer or server to then penetrate a corporate network via the hacked device. An attacker infiltrates into a dialogue between two systems at the moment of setting up an RDP session and, having decrypted the package, gains access without notifications to client or server.

Next, the cybercriminal disables or removes security tools and launches either a DDoS attack or runs a ransomware software to encrypt the corporate databases with critical business information. Or they can steal personal data for credential stuffing and phishing purposes, use the vulnerable RDP to install programs for cryptocurrency mining, adware, spyware or other purposes.

Ransomware atack example

Some scripts can leverage user rights in an RDP connections chain – it is called the RDPInception method. If the attacked machine can reach other servers in the network and create local disks there, the script self-copies to the targeted Startup directories. All scripts located in the Startup directory are automatically run when entering a corporate system. This way the attack affects multiple machines at once.
Why are RDP attacks so dangerous?

Puts your business at risk
One poorly secured RDP connection can open the gates to an entire corporate system, leaving the whole company and its data exposed. An example of this is a recent story of Garmin, a GPS vendor, who was forced to pay $10M to extortionists because its security specialists failed to solve the problem.

Attacks are getting more sophisticated, yet easier to execute
The criminals manage complex penetration schemes and apply a combination of methods at once. In the meantime, personal data and hacking tools are becoming more available. Just recently, Dharma's source code – a ransomware SaaS that targets RDP, was released to be sold online. The number of password databases and brute force dictionaries is increasing, plus there are now lists of servers with an open RDP port. At Variti, we have witnessed a surge of sophisticated bots that constantly scan all available access points and try to crack passwords.

Businesses aren’t protected
As COVID-19 ascended, companies had to react fast and adapt to home working. The short deadlines and crisis budget cuts took priority over security measures, leaving many set ups vulnerable till this day.

To make matters worse, these unprotected businesses would not be aware that such an attack is underway, so would not think to ‘put the fire out’ either. Companies may notice decreased performance and longer than usual server responses, but often treat them with memory optimisations and other irrelevant methods.
How to understand that you are under an RDP attack?
The overall system performance decreases, the response time becomes longer. What’s tricky here is that sometimes there are no spikes or dips in traffic, or anomalies in CPU load.
Servers cannot connect remote services and users cannot access their desktops.
Multiple messages about attempts to crack usernames and passwords will appear in the event logs. Unfortunately, the correct display of such events is not always guaranteed as tracking these events puts a heavy load on servers. However the event log can be configured to prioritise things the way needed.
Protection against RDP attacks

There are multiple ways to protect your company against RDP attacks, but here are the top three reliable ones:

A strong password system – having a policy that enforces secure passwords and mandatory two-factor authentication.

Monitor all requests – additional monitoring systems like Variti’s technology can be added to the standard event logging to get a complete picture of traffic.

Network Level Authentication (NLA) – NLA provides a stronger protection against key spoofing by requiring authentication before and during a session.
To learn more about these top protection techniques and the many other options available, read our article How to mitigate RDP attacks.
To understand more about how automated attacks can affect your business and how Variti solutions can help you combat them, get in touch today.
Unique bot and DDoS mitigation solutions for your websites and APIs - so you can forget about bots, have a clear picture of your traffic as well as gain new customers, and ensure the existing ones are happy.
Legal stuff

33 King's Road
ООО "Варити"

ИНН 7723434732, ОГРН 1167746227945
109004, г. Москва,
ул. Николоямская, д 52, строение 1
Copyright © 2016 — 2022 Variti Limited. All rights reserved.