RDP continues to be a source of sleepless nights for sysadmins. Sophos has been reporting on cybercriminals exploiting RDP since 2011, and in the past year, cybercriminal gangs behind two of the biggest targeted ransomware attacks, Matrix and SamSam, have almost completely abandoned all other methods of network ingress in favour of using RDP. In the study, 4.3 million login attempts were made at a rate that steadily increased through the 30-day research period. The first honeypot to be discovered, was found in just one minute and twenty-four seconds (Paris) and the last one in 15 hours (Singapore).
Matt Boddy, security specialist at Sophos, who was a lead researcher on the report states, “Most recently, a remote code execution flaw in RDP – nicknamed BlueKeep (CVE-2019-0708) – has been hitting the headlines. This is a vulnerability so serious it could be used to trigger a ransomware outbreak that could potentially spread around the world in hours. However, securing against RDP threats goes far beyond patching systems against BlueKeep, which is just the tip of the iceberg. In addition to taking care of BlueKeep, IT managers need to pay broader attention to RDP overall because, as our Sophos research shows, cybercriminals are busy probing all potentially vulnerable computers exposed by RDP 24/7 with password guessing attacks.”
Hacker behaviours revealed
Sophos has identified attack patterns, based on the research. This includes three main profiles/attack characteristics: the ram, the swarm and the hedgehog:
– The ram is a strategy designed to uncover an administrator password. One example from the research is that over the course of 10 days, an attacker made 109,934 login attempts at the Irish honeypot using just three usernames to gain access
– The swarm is a strategy that uses sequential usernames and a finite number of the worst passwords. One example from the research was seen in Paris with an attacker using the username ABrown nine times over the course of 14 minutes, followed by nine attempts with the username BBrown, then CBrown, followed by DBrown, and so on. The pattern was repeated with A.Mohamed, AAli, ASmith, and others
– The hedgehog is characterised by bursts of activity followed by longer periods of inactivity. One example in Brazil saw each spike generated by one IP address, last approximately four hours and consist of between 3,369 and 5,199 password guesses
“At present there are more than three million devices accessible via RDP worldwide, and it is now a preferred point of entry by cybercriminals. Sophos has been talking about how criminals deploying targeted ransomware like BitPaymer, Ryuk, Matrix, and SamSam have almost completely abandoned other methods used to break into an organization in favour of simply brute forcing RDP passwords. All of the honeypots were discovered within a few hours, just because they were exposed to the internet via RDP. The fundamental takeaway is to reduce the use of RDP wherever possible and ensure best password practice is in effect throughout an organization. Businesses need to act accordingly to put the right security protocol in place to protect against relentless attackers,” Boddy added.