Cybercriminals leverage remote desktop protocol to brute force attacks
Remote Desktop Protocol (RDP) attacks surged during 2020, and their severity should not be underestimated. That's the word from a new report by security firm ESET.
ESET data recorded a 768% increased in RDP attacks between Q1 and Q4 2020, driven by the shift to remote working and COVID-19.
ESET chief research officer Roman Kováč explains, “RDP security is not to be underestimated especially due to ransomware, which is commonly deployed through RDP exploits, and, with its increasingly aggressive tactics, poses a great risk to both private and public sectors. As the security of remote work gradually improves, the boom in attacks exploiting RDP is expected to slow down – we already saw some signs of this in Q4.
RDP attacks leverage the common RDP protocol, which enables people to log on to a Windows-based device from a remote location. It is commonly used by some technical support staff to troubleshoot issues, however, it is largely unsecured and can be co-opted by cybercriminals.
According to the report, RDP attacks per day grew in Q4 by 17%, but it was the lowest quarterly increase in 2020.
“Similarly, the volume of attack attempts on RDP continued to grow in Q4, adding another 40% compared to Q3. Albeit a large figure, this is a significant slowdown against the extreme 140% growth observed between Q2 and Q3,” the report notes.
Overall, ESET detected 29 billion RDP brute-force attempts across 770,000 unique clients for the entire year.
Other findings from the report confirm what many security firms saw in 2020 - a rise in email threats that leveraged COVID-19, particularly regarding vaccine rollouts.
“With vaccination underway, we will still likely see crooks come up with new variations of threats — such as malicious websites and apps claiming to offer information on vaccine timelines or even vaccine registration,” the report states.
Furthermore, the major takedown of 94% of servers related to the TrickBot malware also had an impact on activity. ESET head of threat research Jean-Ian Boutin notes that TrickBot activity remains low to this day.
“TrickBot has infested over a million computing devices around the world since late 2016 and we have been tracking its activities since the beginning. In 2020 alone, our automatic platform analyzed more than 125,000 malicious samples and downloaded and decrypted more than 40,000 configuration files used by the different TrickBot modules, giving us an excellent viewpoint of the different C-C servers used by this botnet.
“In sum, from the beginning of the operation until October 18, 120 of the 128 servers identified as TrickBot infrastructure around the world were taken down.