Attacks against internet-exposed RDP servers surging during COVID-19 pandemic

The rush to enable employees to work from home in response to the COVID-19 pandemic resulted in more than 1.5 million new Remote Desktop Protocol (RDP) servers being exposed to the internet. The number of attacks targeting open RDP ports in the US more than tripled in March and April.

Not many companies have a big stock of unused managed laptops for employees to take home on short notice, especially those who used to do their jobs from workstations with custom legacy software that only runs on certain versions of Windows. With IT teams also having to work from home, the need to manage on-premises servers remotely is also a common problem companies have to find a solution for.

As a technology that was built into Windows to enable the remote of computers, RDP can be an easy fix to such problems, but can also become a major weakness for organizations if deployed insecurely.

RDP a serious problem made worse

The RDP protocol is a frequent target for credential stuffing and other brute-force password guessing attacks that rely on lists of common usernames and password combinations or on credentials stolen from other sources. Some cybercriminals even specialize in selling hacked RDP credentials as a commodity on the underground market to other hackers who use them to deploy ransomware and cryptominers or to engage in more sophisticated attacks that can lead to the theft of sensitive data and more extensive network compromises.

“McAfee ATR has noticed an increase in both the number of attacks against RDP ports and in the volume of RDP credentials sold on underground markets,” researchers from security firm McAfee said in a new report.

The company notes that the number of RDP ports exposed to the internet has grown from around 3 million in January to more than 4.5 million in March. More than a third of them are in the US and another third are in China. More than half of the machines with exposed RDP ports are running some version of Windows Server, but around a fifth run Windows 7, which is no longer supported and does not receive security updates. That’s a concern because in addition to often being configured with weak passwords, RDP has also seen its share of vulnerabilities and exploits over the years.

Around half of all RDP credentials sold on the underground market are for machines in China, followed by Brazil, Hong Kong, India and the US. The number of credentials for US-based RDP hosts is fairly low, at 4% of the total, but McAfee believes this is likely because the hackers who sell them don’t publish their entire lists and hold the more valuable credentials and hosts for themselves or more private and select sales.

A surge in RDP attacks

According to another recent report from VPN service provider Atlas VPN, starting with March 10, the number of RDP attacks have spiked significantly in the US, Spain, Italy, Germany, France, Russia and China. This seems to correlate with the beginning of the population movement restrictions and lockdowns enforced around the world in response to the COVID-19 pandemic.

“In the US, the attacks peaked on April 7, 2020, with a total number of 1,417,827 attacks,” the company said in its report. “Comparing the period of February 9 through March 9, 2020, to March 10 through April 10, 2020, the RDP attacks in the US jumped by 330%.”

Between March 10 and April 15, the company recorded 148 million RDP attacks around the world. More than 32 million of them were detected in the US, or almost 900,000 attacks per day on average.

“These attacks systematically attempt numerous username and password combinations until the correct one is found,” the company said. “A successful attack gives the cybercriminal remote access to the target computer or server in the corporate network.”

Protecting RDP

First, exposing RDP directly to the internet is bad security practice, even with good credential hygiene, digital certificates and two-factor authentication. Slow patching can always lead to servers being compromised through an RDP vulnerability. RDP should always be accessible only through a secure VPN connection to the corporate network or through a zero-trust remote access gateway.

McAfee recommends the following best practices:

• Do not allow RDP connections over the open internet.
• Use complex passwords as well as multi-factor authentication.
• Lock out users and block or timeout IPs that have too many failed logon attempts.
• Use an RDP gateway.
• Limit domain admin account access.
• Minimize the number of local admins.
• Use a firewall to restrict access.
• Enable restricted admin mode.
• Enable Network Level Authentication (NLA).
• Ensure that local administrator accounts are unique and restrict the users who can logon using RDP.
• Consider placement within the network.
• Consider using an account-naming convention that does not reveal organizational information.