Why Work From Home Has Prompted A New Wave Of RDP-Based Hacks

The surge in RDP-Based Attacks

The number of cyber-attacks on Remote Desktop Protocol (RDP) servers has expanded amid the COVID-19 pandemic, as a significant number of employees are currently working from home.

To remotely get to Windows workstations and servers, companies have been depending on RDP servers which is Microsoft’s exclusive protocol. As a result, there has been an expansion in brute-force attacks, with hackers taking advantage of the pandemic to attack corporate assets accessible to remote workers.

The number of RDP ports exposed to the web increased from around 3,000,000 in January 2020 to more than four and a half million in March, McAfee found after running various searches. In these assaults, the cybercriminals are trying to penetrate the RDP protocol by attempting all possible credential combinations until they hit the right one. Analysts explained searches for username, and password mixtures depend on random characters or famous or compromised passwords.

How to prevent RDP-based Hacks?

First, exposing RDP directly to the internet is not the best security practice. Slow patching can generally allow vulnerable servers to be compromised through an RDP attack. RDP should only be available after first connecting to the companies VPN.

Final Thoughts

The speed that everyone went into lockdown due to Covid-19 along with the necessity to keep business moving resulted in some shortcuts taken, which compromised security. Setting up Remote Desktop without a corporate VPN to connect to first or an RDP Gateway is a recipe for disaster, and it’s only a matter of time before the network is compromised.

Tech Talk – November 20 Edition

It’s that time again, the latest edition of Tech Talk has arrived.  In this edition:

  1. What is the cloud?
  2. The 3 things your IT Support partner wishes you did
  3. Win a $50 JB Hifi Gift Card

Ransomware Attacks On The Increase During Covid-19

Ransomware attacks surged during the first half of this year, as cyber criminals looked to spread their file-encrypting malware while many people are working from home.

WannaCry ransomware attack - Wikipedia

Analysis of malicious activity throughout the year published in Skybox Security’s 2020 Vulnerability and Threat Trends Report says ransomware has thrived in the first half of the year, with a 72% increase in new samples of the file-encrypting malware.

Read more on ZD Net

There’s never been a better time to enable 2FA

The Australian Government is currently aware of a sustained targeting of Australian companies by a sophisticated state-based actor.

Whilst web server and the like are a primary target there also has been spearphishing attacks on companies. This spearphishing has taken the form of:

  • links to credential harvesting websites
  • emails with links to malicious files, or with the malicious file directly attached
  • links prompting users to grant Office 365 OAuth tokens to the actor
  • use of email tracking services to identify the email opening and lure click-through events.

Once initial access is achieved, the actor utilised a mixture of open source and custom tools to persist on, and interact with, the victim network. Although tools are placed on the network, the actor migrates to legitimate remote accesses using stolen credentials. To successfully respond to a related compromise, all accesses must be identified and removed.

Now is a good time to ensure that all your company email accounts have Two Factor Authentication enabled.  In the event that you accidentally click on a suspicious link and then enter in your username and password, the secondary authentication will reduce the likelihood of the attacker gaining access to your email account.

More information can be found on the ACSC website

1 2