Remote Desktop Protocol (RDP) became a hot target for cybercrime as businesses shifted to remote work due to the COVID-19 pandemic. A year later, the trend shows no sign of slowing.
RDP, Microsoft's proprietary protocol for enabling people to remotely access Windows servers or workstations, is among the most popular remote access protocols used by organizations today. As such, when businesses shifted to remote work last March, cybercriminals swiftly took notice.
In the spring of 2020, when many organizations shut their office doors, attacks targeting RDP began to skyrocket: Kaspersky reported a spike from 93.1 million global RDP attacks in February to 277.4 million in March – a 197% increase, researchers note. The trend went up and down throughout the year but saw another significant jump as winter lockdowns were announced.
ESET telemetry reflects a similar pattern. The research team reported "quite stable growth" in RDP attacks throughout 2020, with the fastest changes in February and March as the US and Western Europe went into lockdown. While there was some variation in the number of attack attempts toward the end of the year, the number of companies reporting RDP attacks per day remained steady. Between the first and fourth quarters of 2020, RDP attacks grew 768%.
By February 2021, Kaspersky reported 377.5 million brute-force attacks targeting RDP, underscoring a massive spike from the 91.3 million observed at the start of 2020. In some countries these attacks tripled, while in others they grew as much as 10 times, says Kaspersky researcher Maria Namestnikova. RDP has long interested attackers because it allows them to easily gain complete control over a machine, but their attacks have ramped up in the past year.
"With the widespread popularity of this technology, the efforts of cybercriminals in this area have multiplied as they look to take advantage of the fact that RDP is being used en masse by people and entire companies," Namestnikova explains, noting they are "often very poorly aware of the risks of using applications for remote access and don't know ways to make such access more secure."
Much of the attacks researchers are seeing against RDP are brute-force attacks. These require minimal effort from attackers, Namestnikova says, but remain effective because people continue to use simple passwords that can be brute-forced with several attempts. It's worth noting that attackers may exploit vulnerabilities to target RDP, and Microsoft patched a number of remote desktop flaws in 2020. And RDP isn't the only protocol in use; if a company uses other means of remote access, such as the VNC protocol, it will still be at risk.
While RDP attacks certainly weren't the only threat to watch in 2020, they saw a larger spike than most, ESET researchers say. Cryptominers went up for the first time since 2018, a trend they attribute to growing Bitcoin prices, and downloaders saw an increase for most of the past year. Ransomware, of course, saw changes as operators shifted strategies to breach via remote access or exploited vulnerabilities to then steal data and engage in double-extortion attacks.
"RDP was surely the most prominent," according to the ESET Malware Research Labs, noting "there were other malware categories that saw an upward trend, although not in such large numbers."
Security Gaps Enable RDP Attacks
Hastily implemented and configured RDPs in many organizations have played a role in driving this type of attack, says Namestnikova. The attack vector, already popular, has become even more accessible in terms of the number of users and level of security.
"The primary measure that you should take in your company if you use RDP is, firstly, to educate employees on how complex passwords should be," she says. (The answer is very, and it is better to store them using password managers.) Namestnikova also advises using a corporate VPN for RDP access. Further, RDP allows additional authentication before establishing a server connection, which organizations should be using. If they don't use RDP, the protocol should be turned off.
Now that criminals have identified RDP as an effective attack vector, it's unlikely we'll see these attacks ease up – especially as businesses decide to allow for remote work more often or full time. Both employers and employees are growing accustomed to this way of working, she adds.
"That means it's likely RDP will remain more popular than it was before the pandemic, even when the disease recedes and all companies that want to return their employees to the office do so," Namestnikova continues. That said, she notes Kaspersky expects to see a decrease from current levels as those using RDP remember to turn it off.
The ESET team also anticipates more organizations will devote more effort into securing and hardening their systems, bringing a stabilization and perhaps a gradual drop in the number of successful RDP attacks in coming months.