RDP password attacks are a major threat

Cybercriminals are relentlessly targeting organisations worldwide with remote desktop protocol (RDP) attacks, and are able to detect devices with the protocol enabled almost as soon as they appear on the internet.

These are among the key findings of a new report by Sophos into the scale of the RDP threat and the evolving tactics of attackers attempting to exploit the technology.

Sophos set up 10 geographically dispersed honeypots on Amazon EC2 instances running Windows Server 2019, with each instance deployed in a different regional data centre, including one in Sydney. Each honeypot used the default configuration of Windows Server 2019 that enables RDP, and was protected using a prohibitively strong password.

All 10 honeypots set up by Sophos were found in under 15 hours, with the first found in less than a minute and a half. The Sydney honeypot was found in 6 hours and 19 minutes.

During a 30-day period, the 10 honeypots collectively logged nearly 4.3 million failed login attempts, representing one attempt every six seconds. The Sydney honeypot recorded 303,680 failed login attempts.

The number of daily failed login attempts increased over time as more attackers found the honeypots.

In many cases, the number of login attempts per IP address also increased over time. Sophos said this could be due to factors including attackers gradually increasing the frequency of attacks to determine the rate limit that locks users out after too many failed login attempts, or attempting to acclimatise network monitoring systems to their presence.

Sophos’s research found that attackers attempt a number of different strategies to crack passwords. Three main attack characteristics were nicknamed in the report as “the ram”, “the swarm” and “the hedgehog”.

The ram is a strategy designed to uncover administrator passwords. The report highlights one attacker who made 109,934 login attempts at an Irish honeypot using just three user names — Administrator, Admin and Riarthóir (the Irish word for administrator).

In Sydney, attacks attempting the “administrator” and “admin” usernames constituted well over half of recorded login attempts.

The swarm attack involves using sequential usernames (such as AWashington, BWashington, CWashington and so on) and a finite number of the most common and poor passwords.

Finally, the hedgehog attack is characterised by bursts of activity followed by longer periods of inactivity.

“At present there are more than three million devices accessible via RDP worldwide, and it is now a preferred point of entry by cybercriminals. Sophos has been talking about how criminals deploying targeted ransomware like BitPaymer, Ryuk, Matrix and SamSam have almost completely abandoned other methods used to break into an organisation in favour of simply brute forcing RDP passwords,” Sophos Security Specialist Matt Boddy said.

“All of the honeypots were discovered within a few hours, just because they were exposed to the internet via RDP. The fundamental takeaway is to reduce the use of RDP wherever possible and ensure best password practice is in effect throughout an organisation. Businesses need to act accordingly to put the right security protocol in place to protect against relentless attackers.”

Image credit: ©stock.adobe.com/au/chinnarach