Jump in vulnerable RDP ports is leaving networks open to hacking and cyberattacks

Analysis suggests there's been a huge rise in insecure internet-facing RDP ports just waiting for cyber criminals to exploit - but you can protect your employees by doing these things.
Written by Danny Palmer, Senior Writer

There's been a big increase in cyberattacks targeting Microsoft's Remote Desktop Protocol (RDP) as criminals look to exploit the rise in working from home as a result of the coronavirus and social-distancing measures.

RDP is a key component of enabling remote work, allowing employees to connect to their organisation while outside the four walls of their office, and continue their jobs as normally as possible while working in lockdown.

However, RDP ports are often left exposed to the internet, making them a valuable target for malicious hackers looking to find a weak point to gain entry to an enterprise network.

SEE: 10 tips for new cybersecurity pros (free PDF)

According to analysis by cybersecurity researchers at McAfee, there's been a spike in RDP ports facing the open internet, growing from around three million in January to more than four and a half million in March.

Researchers warn that finding the public-facing ports is as simple as using Shodan, the search engine that allows users to look for Internet of Things and other connected devices.

Most of the searchable systems are running Windows Server, but there are also others using other Microsoft operating systems, particularly Windows 7.

And while there are vulnerable remote ports all around the world, the United States and China have the most exposed systems, at around 1.3 million each, according to McAfee.

The most common way for attackers to breach remote systems is by exploiting weak passwords. Researchers note that some of the most common passwords for RDP systems include 'password' 'admin' and 'NULL' – but also warned that in some cases, the systems don't have a password at all, providing attackers with an extremely easy way of getting in.

For those who don't want to do the brute force work themselves, there are also a number of underground forums where cyber criminals are selling on compromised credentials to other users – and researchers note that the number of RDP credentials being put up for sale in these marketplaces is on the rise.

However the vulnerable ports are exploited, cyber criminals can exploit them for their own ends in a number of different ways. The attacks can be relatively basic, such as using compromised accounts to send spam emails, or using the RDP as a means of monitoring emails to collect sensitive information and personal data.

SEE: Coronavirus: Business and technology in a pandemic

There's also the potential for the compromised entry point to be used as means for distributing malware or even ransomware onto the internal network.

But there are ways to secure remote desktop protocols without preventing people from being able to use them. Ensuring that users are using a strong, unique password can help prevent hackers from using brute force attacks, while applying multi-factor authentication acts as an additional barrier to compromise even if the password is guessed or stolen.

Organisations should also ensure that RDP protocols are patched with the latest security updates, so attackers can't exploit known vulnerabilities in an effort to gain access.


Editorial standards