Even though we keep telling people not to enable Microsoft’s Remote Desktop Protocol (RDP) on Internet facing servers, a recent check showed there were still a million servers vulnerable.
“In recent years, criminals deploying targeted ransomware like BitPaymer, Ryuk, Matrix, and SamSam have almost completely abandoned other methods of network ingress in favor of using RDP,” say Sophos researchers Matt Boddy, Ben Jones, and Mark Stockley.
Hackers use password cracking tools and buy passwords for already cracked servers in order to get in.
To see how long it took for servers to be compromised, researchers set up 10 geographically dispersed Windows Server 2019 installations in the Amazon cloud. Those servers had RDP enabled.
To make life interesting, the servers were set up with extremely strong passwords.
The first server was hit with an attempted login in ONE MINUTE AND TWENTY FOUR SECONDS after it was brought online.
The last one was attacked in a little over fifteen hours.
The test servers were live for a month. During that time period, there were over 4 million attempted logins to those servers.
The hackers are creative in their attacks so as to not get detected or blocked. Sometimes people claim that the search engine SHODAN is the reason for these attacks, but these 10 servers were never listed in SHODAN.
Given this, what should you do?
First, unless you have no other viable alternative, do not expose RDP publicly on the Internet.
Security teams have been trying for years to get everyone to use strong passwords but that really has not worked. Not at all.
You can make the hacker’s job harder by turning on two factor authentication, but if you do that, make sure that second factor is strong – not a text message, Installing client side security certificates is one good idea because once they are installed, they are invisible to the user.
The preferred method is to require users to connect to the company network via strong VPN solution if you must absolutely use RDP.
Source: HelpNet Security