ESET: Remote Desktop Protocol Attacks are Increasing
According to the ESET Threat Report T2 2021, there has been a significant increase in Remote Desktop Protocol (RDP) endpoint attacks. ESET statistics indicate a 104 percent increase in attacks against RDP servers since its June report.
This shouldn't be news to anybody watching their logs over the last couple years. A number of large credential leaks focused on RDP. We looked at some of the increases in RDP scanning in April of last years when it was noted as a significant entry point for ransomware. (https://isc.sans.edu/forums/diary/Increase+in+RDP+Scanning/25994). Since then, we have seen a steady rise in the number of sources scanning for RDP with occasional surges in reports. (https://isc.sans.edu/port.html?port=3389). Note that this increase isn't so much caused by remote working. These systems have been exposed before, but leaked credentials gave attackers new tools to attack these exposed systems.
Two points on this one: (1) monthly or even quarterly changes in the technical targets of attacks aren’t very meaningful overall, since usually the next month or quarter will be very different. This one shows the growth mostly in attacks against targets in Spain, so often still regional info to be gained; and (2) there was a lot of emergency use of RDP to support work from home. By now that use should be replaced with more secure remote access approaches – see the NSA/CISA VPN guidance listed in another item in this issue of Newsbites.
Whether exploited or not, your pentesters should tell you that services like RDP, VNC, SMB, etc. exposed to the internet are bad. Please, please, please put them behind a good VPN with MFA. See also: today's article on VPN security. (-:
With the increased telework, many added services were made Internet accessible, quickly. Those often include RDP, which makes access easy for users and malicious actors. Remote access must require multi-factor authentication to thwart the value of captured credentials. Put your RDP services behind a secure remote access gateway rather than exposing them directly to the Internet.
Unsecure RDP connections are one of the top attack vectors that ransomware gangs use to infiltrate companies. Microsoft have published a guide on how to secure RDP (https://www.microsoft.com/security/blog/2020/04/16/security-guidance-remote-desktop-adoption). But you should also identify all remote management tools and platforms that are in place within your organization, ensure they are secured appropriately, and regularly conduct reviews to make sure they remain secure.