Tag Archives: RDP

How Long Does It Take For a Public RDP Server to be Hacked

Even though we keep telling people not to enable Microsoft’s Remote Desktop Protocol (RDP) on Internet facing servers, a recent check showed there were still a million servers vulnerable.

“In recent years, criminals deploying targeted ransomware like BitPaymer, Ryuk, Matrix, and SamSam have almost completely abandoned other methods of network ingress in favor of using RDP,” say Sophos researchers Matt Boddy, Ben Jones, and Mark Stockley.

Hackers use password cracking tools and buy passwords for already cracked servers in order to get in.

To see how long it took for servers to be compromised, researchers set up 10 geographically dispersed Windows Server 2019 installations in the Amazon cloud.  Those servers had RDP enabled.

To make life interesting, the servers were set up with extremely strong passwords.

The first server was hit with an attempted login in ONE MINUTE AND TWENTY FOUR SECONDS after it was brought online.

The last one was attacked in a little over fifteen hours.

The test servers were live for a month.  During that time period, there were over 4 million attempted logins to those servers.

The hackers are creative in their attacks so as to not get detected or blocked.  Sometimes people claim that the search engine SHODAN is the reason for these attacks, but these 10 servers were never listed in SHODAN.

Given this, what should you do?

First, unless you have no other viable alternative, do not expose RDP publicly on the Internet.

Security teams have been trying for years to get everyone to use strong passwords but that really has not worked.  Not at all.

You can make the hacker’s job harder by turning on two factor authentication, but if you do that, make sure that second factor is strong – not a text message,  Installing client side security certificates is one good idea because once they are installed, they are invisible to the user.

The preferred method is to require users to connect to the company network via strong VPN solution if you must absolutely use RDP.

Source: HelpNet Security


CrySiS Ransomware Targets Open RDP Servers

The FBI released an alert this week about malware called CrySiS that attacks public facing servers that have RDP enabled.

RDP or Remote Desktop Protocol is an old Microsoft protocol that was designed to allow IT people to remotely control a Windows machine (server or desktop) to perform maintenance.  The protocol is old – it was first released with Windows NT in 1996  – and has been upgraded many times.  There are also many non-Microsoft versions of the client such as a Unix and a Mac version.

However, RDP was designed in pre-Internet days and while Microsoft continues to button up the security of RDP, hackers continue to attack it.

The CrySiS ransomware finds servers facing the Internet which have RDP enabled and attacks them.  Businesses that have been infected with CrySiS include small businesses, churches, medical facilities, law firms and local governments.

Assuming that the attackers are successful, CrySiS operates like many ransomware attacks – they encrypt your files and demand money, in cryptocurrency, to get your files decrypted.

They breach RDP using dictionary attacks, brute force or stolen credentials obtained in other ways.

Our recommendation is that businesses NEVER expose the RDP protocol to the public Internet.  If you need to remotely manage a server where the only access is via the Internet, we recommend that you connect to that remote network via a VPN.  This will put you on a private network that is not visible to the Internet.  From this private network it is safe to RDP into the server to remotely manage it.

Information for this post came from a private FBI alert.  This alert can be provided to clients on request.