RDP attacks on the rise and ways to prevent it

RDP attacks are on the rise in Middle East countries like UAE, Saudi Arabia, Bahrain, Kuwait & Oman.

Attackers using open RDP ports to take over machines or intercepting RDP sessions to inject malware by using brute-force techniques to gain usernames and passwords.

Microsoft’s Remote Desktop Protocol (RDP) is used for remotely connecting to Windows systems. In an RDP attack, criminals look for unsecured RDP services to exploit and access corporate networks. RDP attacks are on the rise because many organizations fail to secure RDP services against improper access. Recently RDP has become the top attack vector for major attacks including Ransomware.

Attackers use brute force methods to crack the passwords and thus gain full access to the system for stealing sensitive data, dropping malware, data poisoning and other malicious activities.  There are a few things you can do to make it a lot harder to gain access to your network over unauthorized RDP connections:

  • Block multiple failed login attempts coming from the same IP address or the same account. To do that, we recommend you combine the account lockout threshold policy with the account lockout duration. One will determine the number of failed sign-in attempts that will cause a user account to be locked, and the other will establish “the number of minutes that a locked-out account remains locked out before automatically becoming unlocked”. You can use third-party tools for the same.
  • Change your default RDP (Remote Desktop Protocol) port. This is a very easy procedure that will save you a lot of trouble in the future. Windows uses the default RDP port 3389. If you have this port open to the Internet, you are VERY vulnerable to port scanning, which a multitude of hacking tools can do. Once they determine that your default RDP port is open, attackers WILL run scripts to brute force their way in. The solution here is to change your default RDP port to something unused and not common knowledge. You can use this full guide provided by Microsoft to get it done. (Alternatively you can use a Remote Desktop Gateway Server, which also gives you some additional security and operational benefits like 2FA, for example. The logs of the RDP sessions can prove especially useful when you are trying to figure out what might have happened. As these logs are not on the compromised machine, they are harder to falsify by intruders.)
  • Strong username and password: The simplest and most effective thing you can do to avoid becoming a victim of an RDP brute force attack is to change your login details. Changing your account name to something more cryptic than the default ‘Administrator’ makes it twice as difficult for cybercriminals, as they have to guess your username as well as your password. You’ll need to disable the existing administrator account before setting up a new one (find out how to do that here). In addition, you’ll also want to ensure your password is up to scratch. Your password should be long, unique, complex and contain numbers, symbols and upper- and lower-case letters.
  • Do not disable Network Level Authentication (NLA), as it offers an extra authentication level. Enable it, if it wasn’t already.
  • Apply system and software updates regularly.
  • Maintain a good back-up strategy.
  • Enable logging and ensure logging mechanisms capture RDP logins.
  • Minimize network exposure for all control system devices. Whereever possible, critical devices should not have RDP enabled.

Secured By miniOrange