Hacker forums and the tech press are abuzz with news of a tool enabling hackers to attack the Remote Desktop protocol of servers. It’s a commonly used protocol on remote servers and relies on common ports being left open to access them. Our friends at cybersecurity firm Secarma explain what it is and, more importantly, how can we protect against it?
This type of attack is technically nothing new as we have seen with the Morto worm of 2011, but the frequency of these attacks seems to have skyrocketing recently.
The attacks appear to be based on a simple methodology:
What the attack is trying to do?
A brute force attack on the RDP server allows a connection to the attacker.
As there are no reports of successful breaches yet, we cannot definitively say what the motives behind the attacks are. Similar attacks in the past suggest that infected servers could be used to launch further attacks and thus spread itself. However, it could also be used to install other malware or ransomware.
This port and attack method was used by the famous Zeus botnet which, along with its variants, is still responsible for more than 56% of all botnet infections.
With this type of attack, Windows 2003 servers may also be affected by memory exhaustion which would cause them to reboot and 2008+ servers to fill their log files. Note though, this type of attack is not aimed towards Windows servers only as it is an IP based attack.
How can we protect against it?
As with any emerging threat, there are certain measures and precautions that those running RDP on their servers can take.
Successful logins by the attacker will give them access to the drives of that server (via the shares \\tsclient\c and \\tsclient\d). This may give the attacker access to the content of the server but potentially other parts of your solution usually hidden from the external connection as well, e.g. local backups and development areas.
The good news is that there is plenty that can be done to protect yourself from these types of attack:
The reliance on computers and the use of online technologies is growing exponentially. This means more unattended servers and a reliance on monitoring systems. Be proactive in checking into your servers regularly and performing log analysis to check who is doing what on your server. If you are not sure, speak to an expert who can help.