Here at SKYNET, we like to keep one step ahead, with innovation, technology, and more importantly – Cyber Security.
Therefore we’ve invested in the ability to perform our own threat hunting and our own analysis of malware and threat actors.
Industry trends of the last 3 years indicate that Remote Desktop Protocol (RDP) is still one of the main vectors of compromise, only just surpassed by Phishing. Because of this, it’s very important to ensure RDP is kept as an internal-only access method, and there are no RDP ports open to the internet.
With more companies working remotely due to COVID-19, some have not had the necessary technology or expertise to allow their employees to work from home safely. The number of RDP ports which have been discovered on the open internet, by the popular threat hunting website shodan.io, has risen from 3,000,000 at the start of 2020 to just under 7,500,000 in 2021.
Undoubtedly this mistake is made due to convenience, it’s much simpler to open port 3389 to the world than it is to invest time and effort into building a secure remote access solution.
One of the main questions we get asked is ‘but how much of a real threat is it’? So, we decided to back up our answers with some home-grown research! The answers we discovered even surprised us!
We created an Honey-net (Honeypot Network) in one of our lab environments, and hooked it up to a standard ADSL connection.
Our results speak for themselves, during a 24-hour period;
- We were attacked 2,211,429 times from 8,734 different IP addresses, spanning 107 countries
- 2 million of these originated from Russia
- 200,000 originated from Europe
- The remainder were from within the USA
We also set a very guessable password of P@55w0rD on our honeypot.
- That password was successfully guessed 788,947 times in 24 hours
- The password was within the first 10,000 attempts of each attack
- The honey-net was activated at 13:00:00 EST, the first successful compromise took place at 13:01:12 EST. (72 seconds!!!!)
In summary, the take-away lesson from this is that its no longer a question of ‘if’ you will be compromised with RDP exposed to the internet, but ‘when’. All tests were conducted within the bounds of our segregated lab environment, with full knowledge and consent of our ISP. It is imperative that all internet connections are metered by a firewall to prevent any such attack.