Strong RDP Protection: How to Avoid Password Attacks

A significant number of workers continue to work remotely from home. The most popular way to access the work files you need is through Remote Desktop Protocol (RDP). In particular, RDP provides access to servers, workstations, and resources located centrally or in different places on a remote network.

When configuring antivirus to enable Remote Desktop Protocol, network administrators can either restrict RDP access to only the company network or allow access over the Internet. However, opening ports for public access is dangerous, because this way hackers can discover and attack them. For example, using the Shodan search engine, cybercriminals can find about 3.5 million RDP ports that are open to access over the Internet.

It is imperative for IT administrators to ensure that RDP is properly protected and that basic security rules are adhered to as cybercriminals can exploit security vulnerabilities to attack corporate networks. That is why we have prepared an overview of the most common attack methods that cybercriminals use to compromise systems via Remote Desktop Protocol.

Brute force attacks

This method involves a cybercriminal trying to enter the system by entering random passwords, the number of which sometimes reaches millions. Usually, this process is automated and carried out using special programs. If successful, attackers can infect the user's system with ransomware such as GandCrab and Sodinokibi, or other malicious software.

The new TrickBot Trojan module, which the cybercriminals added recently, has already been used for cyberattacks on 6,000 RDP servers. However, using strong credentials can make such actions impossible on your system. However, Use strong password combinations to protect RDP.

To ensure that employees have complex RDP security combinations, IT administrators can use tools to compare employee password hashes with a dictionary with a list of weak passwords.

Credential stuffing attack

This attacker's method is similar to brute-force attacks, but in this case, the attackers use data that has entered the network as a result of data leaks. Hackers can automate this process using special programs such as SNIPR, Sentry MBA, STORM, Black Bullet, Private Keeper, and WOXY. To bypass antivirus and other technologies to protect RDP, attackers use proxy ( botnet ) packets to try to re-login from different IP addresses.

The success of attackers depends on how often users reuse login combinations. That is why the use of unique combinations to log in to each account minimizes the risk of their being stolen.

Password Spraying Attacks

This method is another variation of brute-force attacks, in which attackers strategically select login combinations to try to enter them into multiple logins at once.

Hackers can harvest employee names from public domains using tools like Prowl, Raven, and LinkedIn. These tools collect lists of employees by domain from LinkedIn. With a list of usernames, a hacker can launch an attack on the system.

If cybercriminals compromise at least one account, they can use it to obtain the password and lockout policy for Active Directory and configure future password-spraying attacks on other users in the same domain.

Best practices for protecting RDP from cybercriminals

To protect RDP from credential attacks, we recommend:

• Use complex and unique combinations to log into all accounts. For convenient storage of all data, you can use a modern password manager.
• Set up two-factor authentication. It will provide an additional layer of RDP protection, even if attackers receive data from your account.
• Apply a limit on the number of invalid login attempts.