ESET is the latest security company to notice a sharp spike in RDP-based hacks over the last few months. The anti-malware company spotted a rise in the number of brute-force attacks using the remote access protocol, and said that cyber-criminals have been using it to distribute ransomware.
The Remote Desktop Protocol is a proprietary Microsoft protocol that allows people to access Windows from outside the network. Companies often leave their RDP ports open without taking proper security measures, ESET warned. That can lead to malware infections.
The company has tied the spike in attacks to the COVID-19 pandemic. With lots of office workers forced to log in from home, RDP has become a common way for them to access machines back at the office, it explained. It distributed a graph showing daily attacks against unique clients rising from just under 30,000 in December to over 100,000 during May.
ESET created a new detection layer that spots repeated login attempts from external environments. It adds offending IP addresses to a blacklist that it uses to protect all of its clients. For that to work, though, companies must enable the Network Level Authentication (NLA) RDP option on their servers. This is something that Microsoft has already recommended in the past as a protection against the BlueKeep worm that emerged last year, which exploited a vulnerability in RDP.
Other things you can do to protect yourself against RDP include disabling it altogether if you don’t need it, the company says, or at least creating access control lists that limit the number of users allowed to connect directly over the internet. Use strong, complex passwords for all accounts, along with multi-factor authentication, it advises. If possible, use a VPN gateway to broker all connections from outside your local network. We covered some protection techniques in April.
ESET isn’t the only company to have noticed a rise in RDP-based attacks. In March, Shodan noticed an uptick in the number of devices exposing RDP to the internet. A month later, Kaspersky reported the same thing, warning that the number of Bruteforce.Generic.RDP attacks had “rocketed across almost the entire planet” since March.
Exposed RDP problems are so bad that the FBI even warned about it in 2018, and reportedly sent out another warning this month to K–12 schools in the US about an increase in RDP-based ransomware attacks during the pandemic.