Security experts from ESET revealed that the number of daily brute-force attacks on Windows RDP has doubled during the COVID-19 lockdown.
The phenomenon is not surprising because during the COVID-19 lockdown employees were forced to work from home remote accessing company infrastructure.
Cybercrimianls are aware of this situation and are attempting to take advantage of the crisis, in April researchers from Kaspersky Lab reported a significant increase in the number of RDP brute-force attacks since the beginning of the COVID-19 pandemic.
Early April, researchers from Shodan reported a 41% increase in the number of RDP endpoints exposed online, since the beginning of the COVID-19 pandemic.
RDP brute-force attacks skyrocketed in March due to remote working imposed during the COVID-19 pandemic that forced organizations to deploy more systems online accessible through RDP connections.
Threat actors, especially ransomware operators, intensified their operations attempting to brute-force Windows remote desktop service to access target organizations.
ESET researchers also said the attackers also attempt to exploit RDP connections to try to install coin-mining malware or create a backdoor.
Threat actors also conduct the following actions after an RDP compromise:
Unfortunately, most organizations often neglect the protection of RDP accesses and workers use easy-to-guess passwords and with no additional layers of authentication or protection.
ESET telemetry data shows a significant increase in the daily number of brute-force attacks against RDP.
Between December 2019 and until February 2020, the experts observed a number of attacks between 70,000 and 40,000 on a daily basis. The situation changed from February, when the number reached 80,000.
The number of attacks surpassed 100,000 in April and May, while most countries were reporting a peak in the COVID-19 infections.
Most of the attacks between January and May 2020 originated from IP addresses in the U.S., China, Russia, Germany, and France. Most of the targeted IP addresses were in Russia, Germany, Brazil, and Hungary, ESET telemetry data shows.
Below the recommendations provided by ESET on how to configure remote access correctly:
(SecurityAffairs – hacking, COVID-19)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.