Sophos' Research on Remote Desktop Protocol Exposes Security Threats

Sophos, a cybersecurity company, publishes its latest research, ‘RDP Exposed: The Threat That’s Already at your Door’. This research on Remote Desktop Protocol (RDP) focuses on how the attackers find the RDP enabled devices as soon as it’s connected to the internet. During the research, Sophos deployed 10 geographically dispersed, low interaction honeypots to measure and analyse the RDP based risks. These honeypots were set-up in California, Frankfurt, Ireland, London, Mumbai, Ohio, Paris, Sao Paulo, Singapore, and Sydney for a period of 30 days. On an average, the RDP honeypots were attacked once every six seconds.

Since 2011, Sophos has been reporting on the cybercriminals for exploiting the RDP. Post that, the cybercriminals responsible for the Ransomware attacks, Matrix and SamSam have completely abandoned the network ingress towards the RDP. According to the study, nearly 4.3 million logins were attempted at a rate that gradually increased over the 30-day research period. The first honeypot was discovered in just one minute and 24 seconds in Paris and the last one was found in 15 hours in Singapore. Sophos’ research has found that the attackers use different strategies to crack the passwords. Among all the strategies, three main characteristics of the attack were named as the ram, the swarm and the hedgehog.

The ram is a strategy designed to uncover an administrator password. The report states, one attacker made 109,934 login attempts at the Irish honeypot, using just three usernames to gain the access.

The swarm attack is carried out using the sequential usernames and a finite number of the poor passwords. Lastly the hedgehog is characterised by bursts of activity followed by longer periods of inactivity.

This vulnerability is so serious it could be used to trigger a ransomware outbreak that could potentially spread around the world in hours

Matt Boddy, Security Specialist at Sophos states, “Most recently, a remote code execution flaw in RDP - nicknamed BlueKeep (CVE-2019-0708) - has been hitting the headlines. This vulnerability is so serious it could be used to trigger a ransomware outbreak that could potentially spread around the world in hours. However, securing against RDP threats goes far beyond patching systems against BlueKeep, which is just the tip of the iceberg. In addition to taking care of BlueKeep, IT managers need to pay broader attention to RDP overall because, as our Sophos research shows, cybercriminals are busy probing all potentially vulnerable computers exposed by RDP 24/7 with password guessing attacks.”

He further adds, “At present there are more than three million devices accessible via RDP worldwide, and it is now a preferred point of entry by cybercriminals. Sophos has been talking about how criminals deploying targeted ransomware like BitPaymer, Ryuk, Matrix, and SamSam have almost completely abandoned other methods used to break into an organization in favour of simply brute forcing RDP passwords. All of the honeypots were discovered within a few hours, just because they were exposed to the internet via RDP. The fundamental takeaway is to reduce the use of RDP wherever possible and ensure best password practice is in effect throughout an organization. Businesses need to act accordingly to put the right security protocol in place to protect against relentless attackers.”