Subscribe To Our Daily Enewsletter:

Microsoft RDP Attacks: Here’s What MSSPs Need to Know

Microsoft Remote Desktop Services provide remote users with access to a computer over a network and ensure they can control it using a Windows graphical user interface. Furthermore, Remote Desktop Protocol (RDP) allows end users to remotely connect to Windows systems, and cybercriminals are increasingly exploiting RDP to launch ransomware attacks, according to British security software company Sophos.

Cybercriminals are using BlueKeep, a “wormable” vulnerability that self-replicates malware to spread across the Internet rapidly, to launch RDP attacks. This allows cybercriminals to trigger ransomware outbreaks and compromise RDP servers to invade networks that often consist of millions of Internet-connected RDP servers, Sophos said.

In addition, cybercriminals frequently use password-guessing attacks to probe computers exposed by RDP, Sophos noted. They also select RDP attack targets based on their vulnerability to RDP brute forcing.

How to Combat RDP Attacks

System administrators, cloud computing vendors and Microsoft must work together to address RDP attacks, Sophos stated.

Sysadmins can require strong RDP passwords, as well as set RDP remote access restrictions and account lockout policies. With this approach, sysadmins can minimize the risk of RDP attacks.

Meanwhile, cloud computing vendors may need to modify the default configurations in their standard machine images, Sophos indicated. For example, updating remote administration configurations for cloud instances running Windows could help reduce the number of potential RDP attack targets.

Microsoft also could implement two-factor authentication or other authentication measures to help organizations combat RDP attacks, Sophos pointed out. In doing so, Microsoft could make it difficult for cybercriminals to use password-guessing to launch RDP attacks.

Return Home

3 Comments

Comments

    Alan Robbins:

    This is an easy problem to solve, implement third party password cracking tools that lock out the system for hours, or days after so many wrong attempts. These tools are cheap and easy to deploy.

    Put a Windows computer on the Internet, the hackers will start brute force attacks over RDP within 1 hour.

    Renaming the administrator account is also a good idea.

    Wil Buchanan:

    On the RDP conversation, it’s critical that we don’t have anything on our networks listening on the standard TCP3389 port for RDP. It’s a good proactive measure to run port scans on your perimeter firewalls to verify. IfRDP is needed, make sure that it’s sitting behind an RDP Gateway with lock out policies for failed logins. Implementing a 2FA solution like DUO is also an effective countermeasure. This is not a tin-foil hat precaution. If you have an RDP server out there that is listening on the Internet for TCP3389 traffic, you will get hacked.

    Kevin:

    Regarding this bit:

    “Cybercriminals are using BlueKeep, a “wormable” vulnerability that self-replicates malware to spread across the Internet rapidly, to launch RDP attacks. This allows cybercriminals to trigger ransomware outbreaks and compromise RDP servers to invade networks that often consist of millions of Internet-connected RDP servers, Sophos said.”

    Sophos never said this – there isn’t a public exploit for BlueKeep yet.

Leave a Reply

Your email address will not be published. Required fields are marked *