© (c) Cyberfreek Industries, llc 1997-2024 All rights reserved.
RDP attacks on the rise again

With the Covid-19 scare in place, many companies are allowing their workers to Work From Home.  At the same time, many companies were not prepared for this to occur, so they instituted a highly insecure plan.  Open up RDP access directly into their network for their employees to work from home.

 

It's very easy to allow port 3389 both TCP and UDP access through a Firewall.  But when you open these ports up, you also open up your company to being directly attacked.  RDP (read more about RDP) is the Remote Desktop Protocal formally known as Windows Terminal Services Client.  Windows allows up to 2 connections to a Server and to a Desktop.  There are ways to increase this, but this is not the aim of this article.  RDP is inherently insecure.

Microsoft is stating that there has been a huge uptick in the number of RDP attacks stating that the average is 200,000 per day but after March 10, 2020 the number has spiked upwards to 800,000.  Eventually they state that the average number of attacks per day is hitting somewhere around 1.4 million attacks per day !  Read more on the Article here  It is believed that the high number of attacks could be related to Bot Networks (bot-net).

 

Just some tips to all of you  on this.

  1. Never allow traffic on Port 3389 for both UDP and TCP through your firewall.
  2. Limit RDP to only internal traffic, NEVER from external or from the Internet.
  3. If you do not use RDP, disable it.
  4. RDP can be brute forced so use it carefully.
  5. If you really need to gain access to the Company or Corporate Environment, use a VPN.  Tell workers to be patient while one is set up.  Many Firewall and Gateway Router manufacturers have a VPN service easily configured.
  6. Monitor the VPN and RDP connections!  This shoudl be a standard monitoring event for your SIEM and IDS systems.