Recent research from Sophos highlights your public RDP server as the primary attack vector against your data centre.
During April and May 2019, Sophos deployed 10 standard out-of-the-box configured Windows 2019 servers into AWS data centres around the world. By default, Windows 2019 has RDP enabled. They configured each server with uncrackably long passwords and enabled logging of Windows event 4625 – failed login attempt.
The purpose of the experiment was to track how long it took before someone tried to hack into these RDP servers and how many times this happened. Similar research in 2012 recorded an average of 2 login attempts per hour.
The first of these honey-pot servers received an attempted login just one minute and 24 seconds after it went active online. All of the 10 servers were attacked within 16 hours with an average hit rate of 600 login attempts per hour per server over the month.
Analysis of the source IP addresses issuing the login attempts show it ranging from an average of 600-700 different addresses each day, but peaking at over 1100 on some days.
Several prevalent families of ransomware (including RYUK, BITPAYMER, MATRIX and DHARMA) all use RDP as their primary attack vector.
The researchers checked the Shodan search engine to see if their RDP servers were listed there – and found that they were not – for the entire 30 day experiment window. So the attackers are using other tools to identify IP addresses to attack and system administrators should not rely on searching for their systems on Shodan and assuming a lack of a Shodan listing provides any form of protection.
What can be done to secure RDP connections?
Given the continuous and increasing attempts to breach RDP servers, there are a number of steps system administrators can take to protect their systems:
- Disable RDP if you are not using it
- Do not expose RDP directly to the internet – require a VPN connection to access it
- Enable 2 Factor authentication and use the Remote Desktop Gateway server.
- Disable RDP login for all users, and then re-enable it only for those who really need it
- Do not allow domain administrators to login via RDP
- Ensure RDP enabled account are automatically locked following excessive login attempts