In other words, the port was configured to accept network packets.ĭarktrace detected a successful incoming RDP connection from a rare external endpoint, which utilized a suspicious authentication cookie.
In this real-world attack, the target organization had around 7,500 devices active, one of which was an Internet-facing server with TCP port 3389 – the default port for RDP – open. Breakdown of an RDP compromise Initial intrusion According to the UK’s National Cyber Security Centre, RDP is now the single most common attack vector used by cyber-criminals – particularly ransomware gangs. This led to a dramatic spike in successful server-side attacks. RDP usage surged as companies adapted to teleworking conditions, and it became almost impossible for traditional security tools to distinguish between the daily legitimate application of RDP and its exploitation. In the months following the COVID-19 outbreak, the number of exposed RDP endpoints increased by 127%. For less than $5, an attacker can purchase direct access to their target organization. Selling RDP access is a booming industry because it provides immediate entry into an organization, removing the need to design a phishing email, develop malware, or manually search for zero-days and open ports. xDedic, one of the most notorious crime forums which once boasted over 80,000 hacked servers for sale, was finally shut down by the FBI and Europol in 2019, five years after it had been founded. ‘RDP shops’ selling credentials on the Dark Web have been around for years. Since it gives the user complete control over the device, it is a valuable entry point for threat actors. Remote Desktop Protocol (RDP) is a Microsoft protocol which enables administrators to access desktop computers. With the shift to remote working, IT teams have relied on remote access tools to manage corporate devices and keep the show running. This blog will unpack the attack and the dangers of open RDP ports. By Sunday, all the organization’s internal services had become unusable. Late on a Saturday evening, a physical security company in the US was targeted by an attack after cyber-criminals exploited an exposed RDP server.
0 kommentar(er)
