Thwart the pressing threat of RDP password attacks

How long does it takes for Internet-facing, RDP-enabled computers to come under attack? In some cases, a few minutes. In most, less than 24 hours.

The problem with RDP

“In recent years, criminals deploying targeted ransomware like BitPaymer, Ryuk, Matrix, and SamSam have almost completely abandoned other methods of network ingress in favor of using RDP,” say Sophos researchers Matt Boddy, Ben Jones, and Mark Stockley.

“Gangs like these have the choice cracking passwords themselves using tools like NLBrute, buying passwords cracked by others, or buying accounts on compromised RDP servers.”

To get an idea of how many attacks RDP servers are facing daily, they have set up 10 geographically dispersed Amazon EC2 instances running Windows Server 2019, with RDP enabled but secured with a “prohibitively strong password”.

It didn’t take long for the first one to get hit with a RDP brute-forcing attempt: one minute and 24 seconds. And only one had to wait more than 15 hours for the first attempt.

All in all, during the month when the honeypots were active, they logged 4,298,513 failed login attempts.

Some attackers tried to go after administrator accounts, other targeted low privileged user accounts in the hope that those passwords would be easier to uncover. In an effort to keep their activities under the radar, they tried slowly escalating the attacks, limiting them, and/or randomizing their incidence.

Another interesting thing this research revealed: attackers don’t rely on Shodan – the search engine that lists Internet-connected devices – to identify potential targets.

“None of the honeypots appeared in the Shodan index during the test period and so the monitoring didn’t reveal anything about whether or not hackers use Shodan, or what difference a Shodan listing might make to the number of attackers,” the researchers found, and therefore advised organizations not to rely upon Shodan to assess how they appear to potential attackers.

Mitigating the RDP password brute-forcing risk

RDP-based Remote Desktop Services is a helpful technology that allows enterprise administrators to reach and interact with computers on remote networks or in the cloud.

Two months ago, Microsoft warned about CVE-2019-0708 (aka BlueKeep), a wormable unauthenticated remote code execution flaw in RDS, which was expected to be widely exploited.

But although cybersecurity experts believe that state-sponsored attack groups are already using BlueKeep for quiet intrusions, massive exploitation is yet to happen.

Nevertheless, poorly secured RDP servers represent an easy target for money-hungry cybercriminals, who often compromise and use them to spread malware (usually ransomware) throughout the target network.

While the solution for the RDP password brute-forcing problem is as easy as choosing a strong and long password, the researchers are skeptical about this ever happening.

“The intransigence of weak passwords in the face of decades of user education suggests that the number of RDP servers vulnerable to brute force attacks is unlikely to be reduced by a sudden and dramatic improvement in users’ password choices. Changing this situation therefore requires action from either administrators, cloud computing vendors, or Microsoft, RDP’s progenitor,” they noted.

Microsoft could make two-factor authentication mandatory or switch to another form of authentication (e.g. public key authentication). Cloud computing vendors could offer turnkey servers with an alternative form of remote administration or authentication.

But until that happens, administrators can mitigate the risk by enabling multi-factor authentication.

“Administrators can further harden their machines against credential harvesting by not allowing domain administrators to log in via RDP; enabling RDP for only the people who need it; securing idle accounts; rate-limiting or capping the number of password retries each user is allowed; and strength testing users’ passwords,” the researchers advised.

Finally, if RDP is not needed, it should be disabled. When needed, it should be accessed only via a Virtual Private Network (VPN).