Security vulnerabilities in the Remote Desktop Protocol (RDP)

René Wagenhäuser
Login for Remote Desktop Protocol

More and more companies are turning to mobile working for their employees in order to reduce their commute, offer flexibility and be able to recruit skilled workers regardless of location. Here, the Remote Desktop Protocol (RDP) can be tempting as a simple solution, but unfortunately also offers an extremely risky attack surface for the corporate network.

The majority of users at large corporations, for example, connect to the company network from home or on the road using secure VPN access. This means that unprotected, external access to the IT systems via the RDP protocol is not necessary. The employee nevertheless receives protected access to the data via the private tunnel. However, this is not the case with many small and medium-sized companies. Here, the standard port 3389 of the Microsoft Windows RDP protocol is sometimes negligently released to the individual server systems externally, i.e. to the Internet. This is a found food for hackers and cyber attackers. When companies increasingly focus on opportunities for mobile working and disregard security, the security gaps are exploited particularly shamelessly.

In recent years, the modus operandi of hackers and cyber attackers has largely changed and the focus is almost entirely on network access via RDP. Thus, the RDP protocol is still a valid cause of sleepless nights for IT department staff.

Sophos study shows serious security gaps

Leading security provider Sophos has completed its study "RDP Exposed: The Threat That's Already at your Door" ( and published the long-term results. In it, Matt Boddy, security specialist at Sophos and leader of the study, explains: "Recently, a remote code execution flaw in RDP - called BlueKeep (CVE-2019-0708) - has made headlines". For the specialist, this is a serious vulnerability. It can be used to trigger a ransomware wave that could spread worldwide within hours. He adds: "Securing against RDP threats goes far beyond patching systems against BlueKeep, because this is just the tip of the iceberg. IT managers also need to pay much more attention to RDP. Because as our study shows, cyber criminals attack all potentially vulnerable computers with RDP by trying to find out the passwords."

Identifying attack methods with honeypots

Sophos's RDP study shows how attackers find RDP-enabled devices shortly after they appear on the internet. As a demonstration, Sophos used ten geographically distributed honeypots, i.e. computer systems or network components. These are intended to attract targeted attackers in order to measure and quantify RDP-based risks. They can be used to study attack methods, distract from other systems or set a trap for hackers. All ten honeypots received their first RDP login attempt within one day and logged a total of 4,298,513 failed login attempts over a 30-day period. This equates to one attack attempt every six seconds! Sophos's study also shows that cyber criminals have their own tools and techniques to track down open RDP sources. They do not only rely on websites of reputable, centralised third-party security providers (e.g. Shodan) or already known databases from the darknet.

Read passwords with pattern

Sophos has identified three different attack patterns based on the study conducted:

The ram is a strategy aimed at hacking the passwords of administrator users, often set up by default. One example from the study shows that an attacker made 109,934 login attempts to a honeypot placed in Ireland over the course of ten days to gain access. Three default admin usernames were targeted.

The swarm is a strategy that uses sequential usernames and a finite number of the worst passwords. An example from the study: an attacker was registered in Paris using the username ABrown nine times in 14 minutes, followed by nine more attempts with the username BBrown, then with CBrown, followed by DBrown and so on.

The pattern was repeated with A.Mohamed, AAli, ASmith and others. The hedgehog is characterised by high activity followed by longer periods of inactivity. An example in Brazil showed that each spike (accumulation of attack attempts) generated by a particular sender IP address lasts for about only four hours and consists of 3,369 to 5,199 password attempts each. Often, these waves are also detected during low-load periods, for example, when companies' systems, networks and firewalls cannot be monitored by active IT staff at night.

All honeypots were detected within a few hours just because they were visible on the internet via RDP.


Prevent security gaps

The basic solution approach is to reduce the use of RDP as much as possible or to provide secured VPN access. If RDP use cannot be reduced, it should be ensured that users are only allowed limited access from the outside (internet). With RDP, admin accounts are particularly critical. In addition, all passwords should be defined by the highest security levels (defined by length and complexity) in the organisation. Furthermore, RDP ports should be blocked from the outside and only released for specific, known and documented source networks.

René Wagenhäuser
René Wagenhäuser
Teamlead IT-Services

The authorized signatory and state-certified electrical engineer specializing in data processing technology has been responsible for IT infrastructure, logistics IT and digitization for over 15 years. It is particularly important to him that systems integrate flexibly and agilely into the customer's IT landscape.

Add a comment

Please calculate 5 plus 9.