Security experts from ESET revealed that the number of daily brute-force attacks on Windows RDP has doubled during the COVID-19 lockdown.
The phenomenon is not surprising because during the COVID-19 lockdown employees were forced to work from home remote accessing company infrastructure.
Cybercrimianls are aware of this situation and are attempting to take advantage of the crisis, in April researchers from Kaspersky Lab reported a significant increase in the number of RDP brute-force attacks since the beginning of the COVID-19 pandemic.
Early April, researchers from Shodan reported a 41% increase in the number of RDP endpoints exposed online, since the beginning of the COVID-19 pandemic.
RDP brute-force attacks skyrocketed in March due to remote working imposed during the COVID-19 pandemic that forced organizations to deploy more systems online accessible through RDP connections.
Threat actors, especially ransomware operators, intensified their operations attempting to brute-force Windows remote desktop service to access target organizations.
ESET researchers also said the attackers also attempt to exploit RDP connections to try to install coin-mining malware or create a backdoor.
Threat actors also conduct the following actions after an RDP compromise:
Unfortunately, most organizations often neglect the protection of RDP accesses and workers use easy-to-guess passwords and with no additional layers of authentication or protection.
ESET telemetry data shows a significant increase in the daily number of brute-force attacks against RDP.
Between December 2019 and until February 2020, the experts observed a number of attacks between 70,000 and 40,000 on a daily basis. The situation changed from February, when the number reached 80,000.
The number of attacks surpassed 100,000 in April and May, while most countries were reporting a peak in the COVID-19 infections.
Most of the attacks between January and May 2020 originated from IP addresses in the U.S., China, Russia, Germany, and France. Most of the targeted IP addresses were in Russia, Germany, Brazil, and Hungary, ESET telemetry data shows.
Below the recommendations provided by ESET on how to configure remote access correctly:
(SecurityAffairs – hacking, COVID-19)