For many employees working from home, remote desktop protocol (RDP) is an essential tool for remotely accessing important digital resources and tools hosted on their organization’s network. When compromised, RDP connections put these employees’ organizations at great risk by giving threat actors access to their most critical resources.
With the rise of compromised RDP addresses as a result of the COVID pandemic, Sixgill Darkfeed now includes compromised RDP addresses within its stream of malicious IOCs. Receiving this information moments after they appear on a dark web forum enables you to block them at early stages, before they are weaponized and used in an attack against your organization.
How does this new capability help our clients stay safe, and why now? Because RDP enables users to remotely access another computer via a network or the internet, it has become an increasingly important tool in the work-from-home era. But as businesses and organizations became increasingly reliant on RDP earlier this year, many threat actors leapt at the chance to exploit any related vulnerabilities.
Ransomware attacks are one common danger associated with compromised RDP connections, but they are far from being the only risk. Moreover, when an organization’s RDPs are compromised, that organization isn’t the only one endangered. In addition to enabling threat actors to deploy malware on a targeted system, compromised RDPs can be used to host a C2 server, malware, or a proxy to be used in a cyberattack against somebody else.
HOW DO THESE ATTACKS RELY ON THE DEEP AND DARK WEB?
Before these kinds of attacks take place, it is common for cybercriminals to buy and sell access to a compromised RDP server on the deep or dark web. This way, the threat actor who has compromised an RDP connection can profit from their “accomplishment,” while a second threat actor can acquire a valuable tool to be used in a future cyberattack.
We saw a dramatic increase in the frequency with which access to these compromised servers was put up for sale on the dark web this past spring, as COVID-19 pushed many employees to work from home with little time to prepare. While we have since seen a decrease in the frequency with which this access is offered on the dark web, it remains a significant threat.
So how worried should you be about compromised RDPs in today’s world, and how can you protect your company or organization? Download the latest report, Remote Desktop Pandemic, which provides more insights into this ecosystem, the danger posed by compromised RDP servers and practical steps you can take to stay safe.