sb-as logo
Story image

Report: Brute-force attacks feed on remote working vulnerabilities

30 Jun 2020

Brute-force attacks have risen significantly in correlation with the widespread impacts of the COVID-19 pandemic according to ESET,  which has tracked the trend by measuring the frequency with which it has blocked such attacks.

The United States, China, Russia, Germany and France topped the list of countries with most IPs used for brute-force attacks, the cybersecurity company says.

The trend is yet another indicator of the opportunism of cyber criminals, especially ransomware operators, who are seeking to exploit the shift to remote working and the vulnerability of security infrastructures buckling under pressure.

“Before the lockdown, most employees worked from the office and used infrastructure monitored and controlled by their IT department,” says ESET security research and awareness specialist Ondrej Kubovič.

“But the coronavirus pandemic has brought a major shift to the status quo. 

“Today, a huge proportion of ‘office’ work occurs via home devices, with workers accessing sensitive company systems through Windows’ Remote Desktop Protocol (RDP), a proprietary solution created by Microsoft to allow connecting to the corporate network from remote computers.

“Despite the increasing importance of RDP, as well as other remote access services, organisations often neglect its settings and protection,” says Kubovič.

“Employees use easy-to-guess passwords, and without additional layers of authentication or protection, there is little that can stop cybercriminals from compromising an organisation’s systems.”

Using its telemetry capabilities, ESET discovered most of the blocked IPs in January–May 2020 were seen in the United States, China, Russia, Germany and France. Countries that had the largest proportion of targeted IPs were Russia, Germany, Japan, Brazil and Hungary.

The usage of RDPs has been one of the major contributors to the general increase in security risk profiles for organisations with remote workforces. 

It has become a popular attack vector in the past few years, especially among ransomware gangs. These cybercriminals often brute-force their way into a poorly secured network, elevate their rights to admin level, disable or uninstall security solutions, and then run ransomware to encrypt crucial company data.

Still other cyber attackers may instead take advantage of an unsecured RDP to create coin-mining protocols or create backdoors, which can then be used in case their unauthorised RDP access has been identified and closed.

The research from ESET comes only a week after the company reported a coordinated spear-phishing campaign which leveraged persuasive LinkedIn messaging as its lure.

The LinkedIn message describes a believable job offer, seemingly from a well-known company in a relevant sector. Files were sent directly via LinkedIn messaging or via email containing a OneDrive link.

ESET researchers later discovered that such LinkedIn profiles were fake, and the files sent were malicious.

Story image
rhipe acquires emt Distribution, with aim to expand into enterprise market
The acquisition will enable rhipe to deliver a comprehensive portfolio of end-to-end security capabilities to its partners, the company says.More
Story image
Video: 10 Minute IT Jams - Who is Okta?
Okta is an identity and access management company, specialising in secure user authentication. It's an enterprise-grade identity management service, built for the cloud, but compatible with many on-premises applications.More
Story image
Enterprises underutilising security tools, causing teams to burn out
The report unveiled a lack of meaningful ROI metrics when reporting on security progress, as well as disparate opinions on objectives, tool effectiveness and security awareness amongst the organisation between executives and operations on security teams.More
Story image
Microsoft Exchange breach a wake-up call to ditch the server
"There are owners who still have in-house exchange servers because they are suspicious of the cloud or have concerns about their data sovereignty or don't want to contemplate the capital expenditure. But the warning is clear. Get rid of them."More
Story image
Claroty discovers vulnerabilities in Ovarro TBox RTUs
The vulnerabilities could enable attackers to break into the systems and run code, crash systems, and meddle with configuration files, amongst other malicious actions.More
Story image
Video: 10 Minute IT Jams - Radware VP on the challenges of cloud security
In this interview, Techday speaks to Radware vice president of technologies Yaniv Hoffman, who discusses the primary challenges facing IT organisations in terms of their cloud security apparatus.More