RDP Attacks and the Organizations They Target

September 25, 2019
Vectra AI Security Research team
RDP Attacks and the Organizations They Target

The Remote Desktop Protocol (RDP) is a method for connecting to and controlling computers over the Internet. RDP became a default feature of Windows operating systems in 1996 and has since become a popular tool in the professional world.

The benefits of using RDP in the workplace are immense. Bankers can access financial databases while they're out to dinner with clients, factory technicians can monitor a facility from halfway across the globe, and nurses can check patients' records on an iPad. However, as with any tool, RDP can be misused. The trouble with a technology that lets you log into your computer remotely is that cyberattackers can use it to access your devices too.

By analyzing data in the 2019 Black Hat Edition of the Attacker Behavior Industry Report from Vectra, we determined that RDP abuse is extremely prevalent in the real world. 90% of the organizations where the Cognito Platform is deployed exhibited some form of suspicious RDP behaviors from January-June 2019. Manufacturing organizations experienced the highest rate of RDP misuse per every 10,000 host devices, followed by the finance/insurance and retail industries. These three industries alone were responsible for almost half (49.8%) of all suspicious RDP behavior detections.

Distribution of all suspicious RDP behavior detections by industry

Overall, all industries detected a substantial amount of RDP abuse. From month-to-month, the raw number of RDP abuse detections per industry changed only a small amount. More specifically, the average coefficient of variation for RDP abuse detections per industry was only 18.5%. This suggests that RDP is consistently used as an attack vector.

Cyberattackers often leverage RDP as a stepping-stone when launching their full attacks. For example, the FBI reported that attackers gained entry through RDP when carrying out the CryptON, CrySiS, and SamSam ransomware attacks. RDP can also be used to move laterally through a victim's network and to carry out reconnaissance efforts. Major governmental organizations such as the NCSC UK, FBI, and DHS have recommended that organizations reduce employee access to RDP. However, RDP remains so beneficial that reduced use is unlikely in the near future.

To illustrate this point, consider how the manufacturing industry benefits from RDP.

Manufacturers can improve data centralization via RDP. Instead of installing industrial control systems (ICS) on each employee’s computer, organizations can use just one central RDP server with ICS applications installed. This strengthens their security posture because cyberattackers who gain access to a technician's laptop still cannot access the ICS without proper RDP credentials.

Furthermore, RDP saves manufacturers money. Industrial manufacturing systems require close monitoring and frequent modifications. In the past, manufacturing technicians had no choice but to travel between an organization's different production plants in order to monitor all of them, a costly and time-consuming task. RDP changes that. According to Machine Design, studies show that, "60% to 70% of machine problems simply require a software upgrade or changes to a few parameters, and these can often be done remotely.”

Technicians are now empowered to monitor systems at multiple manufacturing plants at once. The cost savings on this are substantial. HMS Networks, a supplier of industrial communication and industrial IoT solutions, estimates that each trip a technician makes onsite for a machine fix costs $2,200.

RDP will remain an exposed attack surface for the foreseeable future because of its data management and cost saving advantages. That’s why it’s so important to leverage real-time monitoring of RDP usage in order to detect misuse as soon as it occurs.

For a more detailed study of malicious RDP usage, check out the 2019 Vectra Spotlight Report on RDP.