In a recent blog article published by the Microsoft Defender, ATP Research Team reveals some interesting numbers regarding RDP brute-force attacks. The key findings of the research team include that brute-force attacks on RDP ports last an average of two to three days and only approximately 0.08% of these attacks are successful. The sample size for the research was 45,000 PCs over a period of months which lends to the study's credibility.
Remote Desktop Protocol (RDP) is a feature of the Windows operating system that allows users to log into a remote computer using a desktop-like interface via the computer's public IP address and port 3389. Typically used in enterprise environments it allows system and network administrators to manage servers and workstations remotely. Likewise, RDP is used by employees while away from their desks to perform work tasks. While proving a handy administrative tool, hackers soon learned that if they could scan for Internet-facing RDP ports that are not properly secured and gain access to targeted machines. Once access is gained hackers can drop any number of malware strains they want to.
For hackers to gain access to the RDP port, the attacker needs to know the account credentials. This could always be done by a phishing attack, however, another option available is the brute-force attack. Simply put the attack will attempt to sign in to the RDP port using a massive list of common usernames and password combinations. This is a trial and error approach that is automated and is normally detected by researchers noticing numerous failed sign-in attempts over a relatively short period of time. Despite having low success rates the fact that the process is automated is what is attractive to hackers. Further, exploiting unsecured RDP ports requires no advanced knowledge when looking to exploit a vulnerability for example.
Researchers interestingly noted that of the attacks recently observed, lasted on average between two and three days. The vast majority of attacks, roughly 90% of them, lasted less than a week and 5% of the attacks lasting longer for two weeks or more. Attacks last days rather hours, which the technology used certainly allow for, however, hackers try and avoid getting their IP addresses blocked by firewalls. Rather than try hundreds or thousands of login combos at a time, they were trying only a few combinations per hour, prolonging the attack across days, at a much slower pace than RDP brute-force attacks have been observed before. The research team noted,
“Out of the hundreds of machines with RDP brute force attacks detected in our analysis, we found that about .08% were compromised…Furthermore, across all enterprises analyzed over several months, on average about 1 machine was detected with a high probability of being compromised resulting from an RDP brute force attack every 3-4 days…A key takeaway from our analysis is that successful brute force attempts are not uncommon; therefore, it's critical to monitor at least the suspicious connections and unusual failed sign-ins that result in authenticated sign-in events.”
Real-World RDP Bad Days
2019 saw several hackers successfully gaining access to networks and machines through RDP abuse. The most recent case covered by this publication occurred in late December 2020. Legion Loader which would drop several trojans, a crypto miner, and malware designed to steal cryptocurrency directly from a victims cryptocurrency wallet, also installed an RDP backdoor so that access to the infected machine could be granted at a later date. It is not only those looking to infect machines with trojans who see unsecured RDP ports as their ticket into networks and machines. Ransomware operators looking at targeting corporations for far bigger payouts often rely on RDP access to infect victims.
Earlier in December researchers showed that the operators of the Snatch ransomware strain were actively looking for people with RDP access to partner with to infect businesses and other organizations with the ransomware. Snatch is operated as a ransomware-as-a-service and those looking to provide hackers with RDP access were in all likelihood received a cut of the ransom. That would have at least been the sales pitch. While the ransomware operators were looking for associates with RDP access and not trying to brute-force their way in it is a clear indication as to how the protocol is targeted by hackers.
Unsecure RDP ports are typically seen as those using the default port of 3389, use weak credentials or default passwords and usernames, and RDP connections that do not require two-factor authentication. These can all be corrected. Further, Microsoft recommends that system administrators combine and monitor multiple signals for detecting RDP inbound brute force traffic on a machine. According to researchers, the following signals are indicators of such an attack:
- Hour of day and day of the week of failed sign-in and RDP connections
- Timing of successful sign-in following failed attempts
- Event ID 4625 login type (filtered to network and remote interactive)
- Event ID 4625 failure reason (filtered to %%2308, %%2312, %%2313)
- Cumulative count of distinct username that failed to sign in without success
- Count (and cumulative count) of failed sign-ins
- Count (and cumulative count) of RDP inbound external IP
- Count of other machines having RDP inbound connections from one or more of the same IP
Researchers concluded that,
“Based on our careful selection of signals found to be highly associated with RDP brute force attacks, we demonstrated that proper application of time series anomaly detection can be very accurate in identifying real threats…Monitoring suspicious activity in failed sign-ins and network connections should be taken seriously—a real-time anomaly detection capable of self-updating with the changing dynamics in a network can indeed provide a sustainable solution.”