Sophos launched a new research, RDP Exposed: The Threat That's Already at your Door. Sophos' new RDP research highlights how attackers are able to find RDP-enabled devices almost as soon as these devices appear on the internet. Sophos deployed 10 geographically dispersed, low-interaction honeypots [1] to measure and quantify RDP-based risks. The honeypots were set-up in California, Frankfurt, Ireland, London, Mumbai, Ohio, Paris, Sao Paulo, Singapore, and Sydney over a 30-day period. On average, the RDP honeypots were hit by 1 attempted attack per six seconds.
RDP continues to be a source of sleepless nights for sysadmins. Sophos has been reporting on cybercriminals exploiting RDP since 2011, and in the past year, cybercriminal gangs behind two of the biggest targeted ransomware attacks, Matrix and SamSam, have almost completely abandoned all other methods of network ingress in favour of using RDP. In the study, 4.3 million login attempts were made at a rate that steadily increased through the 30-day research period. The first honeypot to be discovered, was found in just one minute and twenty-four seconds (Paris) and the last one in 15 hours (Singapore).
Matt Boddy, security specialist at Sophos, who was a lead researcher on the report states, "Most recently, a remote code execution flaw in RDP – nicknamed BlueKeep (CVE-2019-0708) – has been hitting the headlines. This is a vulnerability so serious it could be used to trigger a ransomware outbreak that could potentially spread around the world in hours. However, securing against RDP threats goes far beyond patching systems against BlueKeep, which is just the tip of the iceberg. In addition to taking care of BlueKeep, IT managers need to pay broader attention to RDP overall because, as our Sophos research shows, cybercriminals are busy probing all potentially vulnerable computers exposed by RDP 24/7 with password guessing attacks."
Hacker behaviours revealed
Sophos has identified attack patterns, based on the research. This includes three main profiles/attack characteristics: the ram, the swarm and the hedgehog:
"At present there are more than three million devices accessible via RDP worldwide, and it is now a preferred point of entry by cybercriminals. Sophos has been talking about how criminals deploying targeted ransomware like BitPaymer, Ryuk, Matrix, and SamSam have almost completely abandoned other methods used to break into an organization in favour of simply brute forcing RDP passwords. All of the honeypots were discovered within a few hours, just because they were exposed to the internet via RDP. The fundamental takeaway is to reduce the use of RDP wherever possible and ensure best password practice is in effect throughout an organization. Businesses need to act accordingly to put the right security protocol in place to protect against relentless attackers," Boddy added.