Brute force attacks increasing on open RDP ports

Ever watch a procedural cop show where the lead detective is some kind of password savant? Then you know this scene: The detective walks into a suspect’s apartment, finds a locked computer, and, after his partner complains they’ll need NSA hackers to get in, cracks the tricky password in a single try. While I love a good Hollywood cybersecurity gaffe, the truth is Detective Special Skills actually would have a decent chance at getting into that computer if he knew the suspect’s name and attempted using a few of the most popular default passwords today. (I’m looking at you, 1-2-3-4-5.)

But let’s say this suspect is a little more tech savvy and has a stronger, unique password in place. That’s game over, right? No getting in? Unfortunately for us good guys trying to protect our personal or business data, the answer is no. By using brute force attacks that automate trial and error, cybercriminals are able to run thousands or even millions of username and password combinations until they crack the code for credentials.

COVID-19’s grip on the global workforce has remained tight for nearly three quarters, keeping the majority of corporate employees — including technicians, security, and IT staff — confined to their homes. The repercussions of ongoing work-from-home conditions continue to be felt, especially a generally weaker security posture for all organizations, the natural result of having a distributed workforce. One such repercussion is a massive increase in open RDP ports, from 3 million in January 2020 (pre-Covid) to 4.5 million in March (post-Covid).

Cybercriminals of course pounced immediately, and to our detriment, they keep throwing everything they’ve got at us. COVID-19 misinformation, scams, social engineering laced with malware, Emotet and more of its friends, digital card skimmers, targeted ransomware attacks, and now brute force attacks, which themselves are methods of endless, everything-but-the-kitchen-sink attack.

Brute force attacks are typically automated or conducted via application, which allows threat actors to “set it and forget it,” coming back to their target once the app notifies them of a successful crack of the desired credentials. And lately, they’ve been cracking open a lot of RDP ports, exposed to the Internet so that remote workers can access company resources from home or IT staff can troubleshoot employee devices remotely.

Once cybercriminals have brute forced their way into an open RDP port, they can launch ransomware attacks, install keyloggers or other spyware on target organizations, or conduct espionage or extortion — pretty much a nightmare scenario. To protect against brute force attacks and shield RDP ports, I recommend:

  • Limiting the number of open ports
  • Restricting access to RDP ports to only those that need it
  • Enhancing security of the port and the protocol (with security software that blocks malicious IPs from compromised servers, for example)
  • For remaining RDP port users, disabling legacy usernames, rotating passwords, and enabling 2FA

At Malwarebytes, we’re now exploring new protective features to combat rising brute force attacks on open RDP ports. Stay tuned for some news on that soon!

To learn more about brute force attacks on the rise and how to protect open RDP ports, read our blog on Malwarebytes Labs:

For advice on how to protect RDP access from ransomware attacks:

And for a refresher on best security practices for all work-from-home employees:


Covid fatigue causes careless behavior, endangers online safety

Because it’s not bad enough that we’ve had to shelter in place, shut down businesses, and stay away from friends and families for months. Now we learn that our natural response to this stress — a type of emotional exhaustion medical professionals call Covid fatigue — puts us in danger, too. Great. Might as well give up now.

The above paragraph is a meta example of Covid fatigue… or at least the beginnings of it. The defeatist attitude is a telltale symptom of this type of fatigue, which should not be mistaken for the fatigue that can sometimes be a symptom of Covid-19 infection. Covid fatigue is instead defined as feeling overwhelmed and exhausted by the conditions brought on by the pandemic and the ever-changing list of rules to follow in order to stay safe.

Those with Covid fatigue are less likely to follow basic social protocols for protecting against the virus. And that, unfortunately, spills over into their online habits as well.

For many of you in IT and security, a lightbulb may have already flickered on. Covid fatigue sounds awfully similar to security fatigue or alert fatigue. Indeed, it’s the exact same principle. And if you’re catching on to how emotional fatigue can lead to self-destructive behavior online (like reusing passwords or exercising less caution opening emails, for example), then guess who else knows?

The most successful threat actors study user psychology so their social engineering tactics can be believable. And those threat actors have been clued into Covid fatigue for a while now.

It’s most important, then, that IT and security leaders guide their employees in fighting back against possible online attacks, remembering basic security hygiene, and combatting emotional fatigue. The last item may require help from your people operations teams, but will ultimately lead to a happier, healthier workforce with energy in reserves.

There’s so much uncertainty with this virus, and that contributes to Covid fatigue, too. But if there’s one thing we can be sure about, it’s that battling this pandemic — and the one we’re facing online — is a marathon, not a sprint.

Read on to learn how to cope with Covid fatigue and stay safe online:

For background on security fatigue:

To see what Johns Hopkins recommends for fighting Covid fatigue:

On alert/notification fatigue: