A huge uptick in brute force attacks designed to crack the login credentials of those using remote access tools has been detected by Kaspersky.
This is particularly taking place against firms using Microsoft’s proprietary Remote Desktop Protocol (RDP). Staring in March the average daily number of attacks against RDP accounts skyrocketed in almost every country that has been heavily impacted by COVID-19 and thus has a new WFH population.
“Attacks of this type are attempts to brute-force a username and password for RDP by systematically trying all possible options until the correct one is found. The search can be based on combinations of random characters or a dictionary of popular or compromised passwords,” Kaspersky said.
In the United States attacks had averaged about 200,000 per day for March, but on March 10 spiked to 800,000 and eventually topping out at 1.4 million attempts on April 7. Spain, France, Italy, Germany, Russia also similar patterns emerge. Kaspersky is not sure why the jump took place on March 10.
"It's hard to say why March 10 was the day when it all started, but possibly it doesn't have any logical explanation. As for the technical means used by the attacker, it's likely that some bot-net is involved, since malicious hosts are scattered worldwide. We are still investigating this question," Dmitry Galov, Kaspersky security researcher.told SC Media.
Despite being at the epicenter of the virus, China has not experienced a similar increase in attacks. This is due to the fact its population did not begin working from home in large numbers.
Kaspersky recommended some steps that can help protect against these attacks:
- At the very least, use strong passwords.
- Make RDP available only through a corporate VPN.
- Use Network Level Authentication (NLA).
- If possible, enable two-factor authentication.
- If you don’t use RDP, disable it and close port 3389.