Threat Watch

Large Increase in RDP Attacks

In their recently released Q4 2020 report, ESET reports seeing a 768% growth in the amount of Remote Desktop Protocol (RDP) attacks. As more employees than ever worked remotely, resources needed to be made available for them to continue to do their jobs. Unfortunately, in the rush to make these resources available for employees, security best practices were not always followed. Exposing RDP directly to the Internet lets attackers easily discover and profile systems, retrieve usernames, observe when users are logged in, and attempt to guess many passwords over a long period of time. Researchers at ESET saw an increase in brute force attempts, phishing emails created to steal credentials and even a few severe exploits against publicly-exposed RDP systems. ESET explicitly names ransomware as one of the top reasons to pay attention to RDP security. Often deployed as a last stage in other malware infections, ransomware authors in 2020 took full advantage of poorly configured RDP systems to steal and encrypt data. It isn’t all bad news though, as ESET expects RDP-related attacks to decrease in 2021 as more businesses learn how properly secure their environments in a largely remote work environment.


To protect RDP servers, Binary Defense highly recommends never exposing them directly to the Internet unless absolutely necessary. This has the benefit of preventing brute force password attacks and remote exploit attempts. As employees still have a need to connect to these systems remotely, RDP servers can be made available from behind a corporate VPN service. Combining both VPN and RDP with multi-factor authentication (MFA), it becomes much harder for an attacker to use stolen credentials to gain access to any protected resources. Not all employees will require access to remote services, however. To take things even further, access to specific services should be granted on an as-needed basis. This further reduces the chances that stolen credentials can be used to access internal resources as the attacker now needs to compromise specific accounts.