Remote Desktop Protocol (RDP) – The #1 Way to Get Attacked

The #1 risk to the security of the network is for an attacker to gain access through a compromised RDP connection. Learn how to prevent and protect against this threat with threat intelligence.

What are the top 5 cybersecurity risks that can be prevented and protected with threat intelligence? We recently published a guide to the top 5 cyber risks by Brad LaPorte, a former Gartner Senior Director Analyst and Cybersecurity Industry Expert. Let’s explore the #1 way for an attacker to access your network from Brad’s risk list: Remote Desktop Protocol (RDP) connections. RDP is a tool developed by Windows that allows users to remotely connect to and control another Windows PC or server over the internet or on a local network, giving them full access to all tools and software installed on that server or PC. If you have ever needed someone from your IT Staff to remotely take over your computer to figure out why you were experiencing a particular problem, they were most likely using the RDP tool. When it is secured with a strong password or multi-factor authentication, the RDP connection enables employees to securely access corporate resources remotely. But ever since RDP was introduced, cybercriminals have looked at this tool as a primary resource to try and hack into company networks via this widely-used protocol – effectively launching a Windows RDP attack utilizing the default port number for RDP, which is 3389 (see below). 

How widespread is the sharing of compromised RDP’s? According to our research, in 2021, access to 307,478  RDP connections was offered for sale on the dark web.

Compromised RDP’s pose two different threats: 

  1. They can serve as a backdoor into the network of the organizations that they belong to, and
  2. They could be used as a potential weapon to infiltrate other networks with attackers exploiting the free resources to host a C2 server, malware or a proxy to forward an attack.

The comprehensive fix:  Prevent: Use strong authentication for RDP connections, change the default ports and use endpoint protection so attackers can’t gain access to the EP, even if they crack the RDP.Detect: Cybersixgill offers a dynamic solution to the problem of compromised RDPs. If an organization wants to monitor if it’s RDPs are being sold in dark web markets, it can do so automatically within Cybersixgill’s Investigative Portal: simply create a notification to be triggered when the first two octets of relevant IP addresses are mentioned. If the notification is triggered, the analysts can investigate the other information in the post to determine if the IP address indeed belongs to the organization and take the right course of action.
Furthermore, compromised RDP servers with complete IP addresses (even those that are distributed for free on forums) are included in Cybersixgill’s Darkfeed, our automated feed of malicious indicators of compromise (IOCs), including domains, URLs, hashes, and IP addresses. The continuous updating of damaged IP addresses enables organizations to automatically block these addresses the moment they appear on the dark web, before they can be weaponized.

For more information about the danger posed by compromised RDP servers, see our report Remote Desktop Pandemic.