{"id":14971,"date":"2014-06-27T15:36:09","date_gmt":"2014-06-27T15:36:09","guid":{"rendered":"http:\/\/kasperskydaily.com\/b2b\/?p=2145"},"modified":"2023-10-10T12:26:47","modified_gmt":"2023-10-10T16:26:47","slug":"a-multiheaded-battering-ram-rdp-bruteforce-attacks-on-the-rise","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/a-multiheaded-battering-ram-rdp-bruteforce-attacks-on-the-rise\/14971\/","title":{"rendered":"A multiheaded battering ram: RDP Bruteforce attacks on the rise"},"content":{"rendered":"

Early in June, Kaspersky Lab rolled out an update for its products which included Intrusion Detection System, and now it has an ability to detect RDP (Remote Desktop Protocol) bruteforce attack attempts. The statistics gathered since then appears to be pretty much \u201csunless\u201d: dozens of thousands victims, +1000 unique detects each day since June 3rd. A number of possible attackers had been identified already, but the investigation is ongoing. IDS detects this type of attack as Bruteforce.Generic.RDP.<\/p>\n

\n<\/p>

\u00a0<\/p>\n

Remote Desktop Protocol is Microsoft\u2019s proprietary protocol providing a user with a graphical interface to connect to another computer over a network connection. It\u2019s widely used by system administrators to control servers and other PCs remotely, and occasionally \u2013 by common (okay, advanced!) users too.\u00a0<\/p>\n

A brute-force attack<\/a> has its peculiar name for a reason: since it consists of systematically checking all possible keys or passwords until the correct one is found (which is brutishly primitive), it requires a formidable computing power, but, in turn, it can also be successfully used against almost any encrypted data, except for the one encrypted in an information-theoretically secure manner (Wikipedia has some layman-comprehensible explanation for this<\/a>).<\/p>\n

But still, when it comes to dealing with short passwords, this method can be fast-and-easy, especially when good computing resources are available and the passwords are weak (the weakest are the simple dictionary words). It\u2019s less effective with longer and complex passwords, but again, with distributed resources (a large botnet, for instance) it\u2019s relatively easy to crunch passwords \u2013 and in numbers.<\/p>\n

Last year we saw a wide-scale bruteforce-attack on WordPress admin consoles: someone behind a massive botnet launched a \u201cgut check\u201d of users\u2019 passwords. The bombardments were so heavy that they had effects of plain DDoS-attacks.<\/p>\n

Now (and, apparently, for quite a long time) it\u2019s RDP that is actively targeted with brute-force attacks.<\/p>\n

Although developed by Microsoft, RDP clients are available for all the most used modern OS, including Linux, Unix, OS X, iOS, Android even. Server software exists for Windows, Unix and OS X. By default, the server listens on TCP port 3389 and UDP port 3389.<\/p>\n

Hacking an RDP-connection is very lucrative: once an attacker gets login-password pair for RDP, he or she effectively owns the system where the RDP server is installed. Attackers can then plant malicious software in the affected system, exfiltrate data, etc. He (or she) also can gain access to your company internal network, given that the \u201cpenetrated\u201d workstation is connected to it, or attempt to check out all of the passwords in the browser installed on the affected system. Opportunities are multiple, and the consequences can be dire.<\/p>\n

Criminals are well aware of it. There is already a handful of off-the-shelf software purposed for cracking RDP login-password pairs \u2013 ncrack, Fast RDP Brute, for instance.<\/p>\n

\u00a0<\/p>\n

\"1\"<\/a><\/p>\n

\u00a0<\/p>\n

As the screenshot shows, the interface of Fast RDP Brute is very straightforward and simple. There\u2019s only one thing shown wrong: the \u201cgood\u201d pair \u201cadmin:admin\u201d is actually as bad as it gets<\/a>. :-)<\/p>\n

And here is what the statistics on RDP attacks on our users looks like:<\/p>\n

\"2\"<\/a><\/p>\n

\u00a0<\/p>\n

As we can see, Russian Federation and United States are the most attacked countries overall, followed by Turkey. Western European countries are under fire too, as well as Brazil.<\/p>\n

About 64% of the targets are servers which is no surprise either.<\/p>\n

Attackers usually don\u2019t choose specific targets from the start. First they launch some wide-scale campaigns in order to gather a most-likely lengthy list of vulnerable targets that they would then sort by their potential value. Still, hijacking a server is a much more lucrative result than infecting a lowly Windows XP-based 10 years old PC. While both can be used to relay spam or launch DDoS-attacks, owning a server means getting much more computing resources and broader communications channels, as well as, potentially, a total control over all outgoing and incoming traffic. And that is something to go for in a case of a targeted attack on the business, to which this server belongs.<\/p>\n

Apparently there\u2019s just one way to counter such attacks: chose passwords wisely, and change them often.<\/p>\n","protected":false},"excerpt":{"rendered":"

Kaspersky Lab’s Intrusion Detection Systems now detects RDP brutforce attack attempts, and the statistics gathered since early June looks quite displeasing.<\/p>\n","protected":false},"author":2706,"featured_media":39375,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1999,3052],"tags":[2122,2123,2124],"class_list":{"0":"post-14971","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-smb","9":"tag-brute-force-attack","10":"tag-intrusion-detection-systems","11":"tag-rdp"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/a-multiheaded-battering-ram-rdp-bruteforce-attacks-on-the-rise\/14971\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/a-multiheaded-battering-ram-rdp-bruteforce-attacks-on-the-rise\/14971\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/a-multiheaded-battering-ram-rdp-bruteforce-attacks-on-the-rise\/14971\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com\/blog\/tag\/brute-force-attack\/","name":"brute force attack"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/14971","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/2706"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=14971"}],"version-history":[{"count":6,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/14971\/revisions"}],"predecessor-version":[{"id":39376,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/14971\/revisions\/39376"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/39375"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=14971"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=14971"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=14971"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}