From the latest round of media reports around state-sponsored hacking, it’s easy to think that Information Security is about sophisticated actors with deep pockets and big credentials, but the fact is that most hacking isn’t even close to that clever. Criminals, looking for a quick buck, mostly perform attacks using easily exploited vulnerabilities – the equivalent of a smash-and-grab theft. For many small and medium-sized businesses, keeping systems up to date and configured can be a challenge, making them a perfect target.
The key to one of these “drive-by”-style attacks is a longtime product of Windows – the Remote Desktop Protocol (RDP). RDP is a Microsoft-built service that allows offsite users to connect to a server over the internet using their username and password.
Brute force attacks from unsophisticated hackers
By default, RDP keeps an “open” port on the server, which will allow anyone to attempt to connect to it, usually as many times as they want. As a result, hackers who can locate this open port can attempt to “brute force” attack the server by testing it against the most common usernames and passwords, using automated tools to make thousands of repeated guesses. By hammering away on the same port automatically, using freely available tools, hackers don’t have to be sophisticated or even that technical – they just need time and patience.
“This attack is a bit like some punk kids trying to pick the lock on your front door," says Graycon Security Consultant Liam Somerville. “These aren’t clever or nuanced people, but you just hope that they don’t get lucky - if they do, they’re going to wreck your house just the same as the smart ones.”
If an attacker manages to gain access to a server using these techniques, they’ll likely install bitcoin miners, launch ransomware attacks, or use the compromised machine as a staging point for further activities.
Three ways to protect yourself from the RDP drive-by
While this kind of attack is ubiquitous online, it’s also relatively easy to avoid. By taking a few steps to protect yourself, you can limit the possibility of these “drive-by” style hacks from breaking through.
1. Disable or restrict access to RDP.
Somerville notes this is the best solution. “With better and more secure systems like Virtual Private Networks (VPNs) in place to allow users to access their systems offsite, RDP is rarely necessary for most users,” says Somerville. “It’s also possible to allow RDP access only to users with VPN enabled.”
2. Rename your Administrator account.
Brute force attacks attempt to guess your credentials by hammering a premade list of the most common usernames and passwords. The list of passwords can have five or 5 million passwords, but username lists are typically shorter, focusing on the most common names for Admin accounts, like Administrator, Root, Admin, HR and User.
By renaming the local administrator account from “Administrator” to a less common name like “LocalAdmin”, hackers’ lists won’t have the right combination of username and password to break through.
3. Change your default RDP port.
There are a mind-boggling 65535 possible ports available on most Windows-based servers to connect via RDP, but the default port for RDP (3389) is usually left as-is. While this makes it easier for systems to communicate, it means that if you see an open port on 3389, it’s more than likely RDP. Changing the port to a different number makes it harder for hackers to find it in the first place.
Should you be insecure about your security?
Even if you take the necessary steps to protect yourself from this attack, there are many more vulnerabilities that can pop up if you're not diligent. Take our 5-question Security Quiz to find out if you should break up with your current IT Security plan.