Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

04:20 PM
Connect Directly

RDP Attacks Persist Near Record Levels in 2021

A wave of attacks targeting Remote Desktop Protocol has continued throughout the pandemic as more employees continue to work from home.

Remote Desktop Protocol (RDP) became a hot target for cybercrime as businesses shifted to remote work due to the COVID-19 pandemic. A year later, the trend shows no sign of slowing.

Related Content:

Remote Desktop Bugs: Patches That Took Priority in a Pandemic Year

Special Report: Building an Effective Cybersecurity Incident Response Team

New From The Edge: DDoS's Evolution Doesn't Require a Security Evolution

RDP, Microsoft's proprietary protocol for enabling people to remotely access Windows servers or workstations, is among the most popular remote access protocols used by organizations today. As such, when businesses shifted to remote work last March, cybercriminals swiftly took notice. 

In the spring of 2020, when many organizations shut their office doors, attacks targeting RDP began to skyrocket: Kaspersky reported a spike from 93.1 million global RDP attacks in February to 277.4 million in March – a 197% increase, researchers note. The trend went up and down throughout the year but saw another significant jump as winter lockdowns were announced. 

ESET telemetry reflects a similar pattern. The research team reported "quite stable growth" in RDP attacks throughout 2020, with the fastest changes in February and March as the US and Western Europe went into lockdown. While there was some variation in the number of attack attempts toward the end of the year, the number of companies reporting RDP attacks per day remained steady. Between the first and fourth quarters of 2020, RDP attacks grew 768%.

By February 2021, Kaspersky reported 377.5 million brute-force attacks targeting RDP, underscoring a massive spike from the 91.3 million observed at the start of 2020. In some countries these attacks tripled, while in others they grew as much as 10 times, says Kaspersky researcher Maria Namestnikova. RDP has long interested attackers because it allows them to easily gain complete control over a machine, but their attacks have ramped up in the past year.

"With the widespread popularity of this technology, the efforts of cybercriminals in this area have multiplied as they look to take advantage of the fact that RDP is being used en masse by people and entire companies," Namestnikova explains, noting they are "often very poorly aware of the risks of using applications for remote access and don't know ways to make such access more secure." 

Much of the attacks researchers are seeing against RDP are brute-force attacks. These require minimal effort from attackers, Namestnikova says, but remain effective because people continue to use simple passwords that can be brute-forced with several attempts. It's worth noting that attackers may exploit vulnerabilities to target RDP, and Microsoft patched a number of remote desktop flaws in 2020. And RDP isn't the only protocol in use; if a company uses other means of remote access, such as the VNC protocol, it will still be at risk.

While RDP attacks certainly weren't the only threat to watch in 2020, they saw a larger spike than most, ESET researchers say. Cryptominers went up for the first time since 2018, a trend they attribute to growing Bitcoin prices, and downloaders saw an increase for most of the past year. Ransomware, of course, saw changes as operators shifted strategies to breach via remote access or exploited vulnerabilities to then steal data and engage in double-extortion attacks.

"RDP was surely the most prominent," according to the ESET Malware Research Labs, noting "there were other malware categories that saw an upward trend, although not in such large numbers." 

Security Gaps Enable RDP Attacks
Hastily implemented and configured RDPs in many organizations have played a role in driving this type of attack, says Namestnikova. The attack vector, already popular, has become even more accessible in terms of the number of users and level of security.

"The primary measure that you should take in your company if you use RDP is, firstly, to educate employees on how complex passwords should be," she says. (The answer is very, and it is better to store them using password managers.) Namestnikova also advises using a corporate VPN for RDP access. Further, RDP allows additional authentication before establishing a server connection, which organizations should be using. If they don't use RDP, the protocol should be turned off.

Now that criminals have identified RDP as an effective attack vector, it's unlikely we'll see these attacks ease up – especially as businesses decide to allow for remote work more often or full time. Both employers and employees are growing accustomed to this way of working, she adds. 

"That means it's likely RDP will remain more popular than it was before the pandemic, even when the disease recedes and all companies that want to return their employees to the office do so," Namestnikova continues. That said, she notes Kaspersky expects to see a decrease from current levels as those using RDP remember to turn it off.

The ESET team also anticipates more organizations will devote more effort into securing and hardening their systems, bringing a stabilization and perhaps a gradual drop in the number of successful RDP attacks in coming months.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
User Rank: Moderator
3/18/2021 | 11:48:17 AM
re: nicely written article
Your RDP Attacks article is well written, explains principal hacker techniques that are used against RDP, includes actionable recommendations and compares to other widespread security attacks that are similarly popular.

All of this is helpful to keep all IT personnel up to speed on security considerations.

Thank you!
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-15
Apache HTTP Server protocol handler for the HTTP/2 protocol checks received request headers against the size limitations as configured for the server and used for the HTTP/1 protocol as well. On violation of these restrictions and HTTP response is sent to the client with a status code indicating why...
PUBLISHED: 2021-06-14
A buffer overflow vulnerability in SonicOS allows a remote attacker to cause a Denial of Service (DoS) by sending a specially crafted request. This vulnerability affects SonicOS Gen5, Gen6, Gen7 platforms, and SonicOSv virtual firewalls.
PUBLISHED: 2021-06-14
magento-scripts contains scripts and configuration used by Create Magento App, a zero-configuration tool-chain which allows one to deploy Magento 2. In versions 1.5.1 and 1.5.2, after changing the function from synchronous to asynchronous there wasn't implemented handler in the start, stop, exec, an...
PUBLISHED: 2021-06-14
net/can/bcm.c in the Linux kernel through 5.12.10 allows local users to obtain sensitive information from kernel stack memory because parts of a data structure are uninitialized.
PUBLISHED: 2021-06-14
Cross-site Scripting (XSS) vulnerability in the main dashboard of Ellipse APM versions allows an authenticated user or integrated application to inject malicious data into the application that can then be executed in a victim’s browser. This issue affects: Hitachi ABB Power Grids ...