Sophos’ new research highlights how attackers are able to find RDP-enabled devices almost as soon as these devices appear on the internet.
Sophos has launched a new research, ‘RDP Exposed: The Threat That’s Already at your Door’. Sophos’ new RDP (Remote Desktop Protocol) research highlights how attackers are able to find RDP-enabled devices almost as soon as these devices appear on the internet. Sophos deployed 10 geographically dispersed, low-interaction honeypots to measure and quantify RDP-based risks. The honeypots were set-up in California, Frankfurt, Ireland, London, Mumbai, Ohio, Paris, Sao Paulo, Singapore, and Sydney over a 30-day period. On average, the RDP honeypots were hit by 1 attempted attack per six seconds.
RDP continues to be a source of sleepless nights for sysadmins. Sophos has been reporting on cybercriminals exploiting RDP since 2011, and in the past year, cybercriminal gangs behind two of the biggest targeted ransomware attacks, Matrix and SamSam, have almost completely abandoned all other methods of network ingress in favour of using RDP. In the study, 4.3 million login attempts were made at a rate that steadily increased through the 30-day research period. The first honeypot to be discovered, was found in just one minute and twenty-four seconds (Paris) and the last one in 15 hours (Singapore).
“Most recently, a remote code execution flaw in RDP – , who nicknamed BlueKeep (CVE-2019-0708) – has been hitting the headlines. This is a vulnerability so serious it could be used to trigger a ransomware outbreak that could potentially spread around the world in hours. However, securing against RDP threats goes far beyond patching systems against BlueKeep, which is just the tip of the iceberg. In addition to taking care of BlueKeep, IT managers need to pay broader attention to RDP overall because, as our Sophos research shows, cybercriminals are busy probing all potentially vulnerable computers exposed by RDP 24/7 with password guessing attacks,” said Matt Boddy, Security Specialist, Sophos.
