RDP and Other 
Remote Login Attacks

... meant that most organizations had a larger attack surface. This vulnerability led to a significant uptick in cyberattacks overall, but an even bigger jump in ransomware attacks. Ransomware attacks were up 150% in 2020 and have likely risen even more in 2021. It's mentioned elsewhere on this site that it's very difficult to get accurate ransomware statistics. Often, consistency in reporting serves just as important a purpose. The FBI Internet Crime Complaint Center (IC3) has been keeping track of ransomware attacks reported to the IC3 since at least 2016. The chart to the right shows how ransomware has increased over the last few years after switching over from primarily an automated form of malware in 2016 and early 2017 to manually operated cyberattacks from 2018 on, note the consistent increase since 2018. 

... attacks against healthcare providers in 2020, and the real number is probably even higher. The cost of these attacks against healthcare providers was estimated at $21 billion. That cost includes downtime caused by the ransomware attack, recovery costs, new infrastructure, and even ransom payments.

... not to attack hospitals during the pandemic. As security experts expected, most ransomware groups that took the pledge turned out to be liars (should we be surprised?). Not only did ransomware attacks against hospitals continue, they actually increased during the pandemic. In fact, less than two weeks after that “pledge” was made, L’hôpital de Saint-Gaudens was hit with a ransomware attack.

... exposed to the Internet with port 3389 (the default port for RDP) open. The information comes from a query carried out on Shodan, the scanning company. It shows 4.8 million systems potentially vulnerable to credential stuffing or credential reuse attacks. This screenshot was taken in late August of 2021, but it is representative of findings over the last few years. This view doesn’t even account for organizations that are running RDP on another port.

... are too slow for the more advanced IABs, so they rely on other tools that are readily available and still make the process of finding open RDP hosts easy.

... like Masscan to collect a large number of potential targets, but those targets aren’t always going to be vulnerable. Some might not even be RDP servers (however, Masscan can be configured to pull banner data to ensure that the IAB is targeting only actual RDP servers). As the tutorial in the XSS post above mentioned, a number of brute-force password cracking tools can be used to try to gain access. There are also a number of specialized RDP tools, such as Sticky Keys Slayer, that increase the chances of successful infiltration.

... but they have put together tutorials and post videos to YouTube teaching other IABs and ransomware affiliates how to use them.

... an option. An organization may legitimately not have the budget for another solution, they may not have the technical ability to manage it, there may be technical debt that needs to be dealt with first, or they may have vendors that require RDP. For a myriad of reasons, some organizations may not be able to migrate. If that’s the case, everything possible must be done to secure RDP installations. It’s never going to be completely secure (no system directly connected to the Internet ever is), but the goal is to make it more secure than everyone else’s installation.

... the IT and security teams have to decide which systems actually need RDP and then disable remote access to those that don’t really need it. The compliance team (which is often the same group) also needs to reach out to vendors whose systems have RDP enabled for administration to fully document what, if any, security precautions are enabled.

For those systems that do require RDP access and need to be reachable from the Internet, consider the following steps:

Watch out

Some security professionals recommend changing the RDP from 3389 to a non-standard port in an effort to disguise the use of RDP. There’s nothing wrong with doing that, but making that change without also implementing some of the other changes outlined in this section doesn’t provide any additional security. IABs are aware of this trick, and the experienced IABs scan for RDP on all ports. They’re more interested in the banner response than which port is open.

... it significantly reduces the external footprint of the organization. Rather than having to worry about maintaining and updating multiple systems, the VPN is a single system and has many built-in security features.

... tend to give VPN access to more employees. This increases the chances of a successful credential reuse attack on top of the standard credential stuffing attacks. This threat can be mitigated by requiring multifactor authentication on the VPN.

Along with regular patching and multifactor authentication, organizations can improve the security of their VPN by taking the following precautions: