Malicious RDP Behavior Detected in 90% of Organizations

Written by

A new study has found that hackers are exploiting a popular remote working tool to attack almost all the companies that use it. 

The Remote Desktop Protocol (RDP) has become a virtually indispensable part of modern business operations, as it allows users to control systems from afar without losing any functionality. 

Research published today by Californian tech firm Vectra has revealed suspicious RDP behaviors in 90% of companies using RDP, with organizations in the manufacturing, finance and insurance, retail, government, and healthcare industries identified as being most at risk of attack.

Researchers used Vectra's Cognito platform to monitor metadata collected from network traffic between more than four million workloads and devices in customer cloud, data centers, and enterprise environments between January and June 2019. 

During the six-month period, the platform detected 26,800 suspicious RDP behaviors. However, more could have occurred, since Cognito was set up to spot only two specific incidences. The first is repeated failed attempts to establish an RDP connection to a workload or host, and the second is a successful connection with unusual characteristics; for example, a connection normally established via an English-character keyboard being made instead with a French keyboard. 

Manufacturing organizations had the highest rate of dodgy RDP detections, with mid-sized operations showing a detection rate twice as high as the industry's average, which was 10 detections per 10,000 workloads and devices.

Together, the finance and insurance, manufacturing, and retail industries accounted for 49.8% of all suspect RDP detections. 

Alarming as the findings are, they come as no surprise to Vectra's head of security, Chris Morales, who told Infosecurity Magazine: "RDP is so widely used in different organizations that a high rate of misuse is inevitable. It's used in multiple forms of attacks as attackers look to hide from detection.

"The rate of detection in the six-month period is consistent with what Vectra has monitored over an extended period of time. RDP is a regular occurrence in attacks and a staple tool of the attackers' toolkit."

Despite the cybersecurity risk posed by RDP, Morales foresees no sunset on the tool's use. He told Infosecurity Magazine: "The business value delivered by RDP will ensure its continued use, and it will therefore continue to represent significant risk as an exposed attack surface."

Asked if we should all ditch the internet and go back to using fax machines, Morales said: "I do not think so. We just need to be more diligent in how we use services and thoughtful in their implementation."

What’s Hot on Infosecurity Magazine?