SANS Institute, an international leader in cyber security training and certifications, has identified a 30% increase in attacker interest in Remote Desktop Protocol (RDP) servers in the course of March 2020. This increase coincides with a considerable increase in exposed RDP servers, as measured by Shodan, the search engine that enables users to search the internet for connected devices.

The outcomes for March are regarding, as they also coincide with the massive surge in companies globally that wanted to close offices and rapidly enable workers to work from home to comply with social distancing restrictions due to the quick spread of COVID-19. The concern is that, in order to rapidly and cost-effectively enable employees to work from home, some companies have implemented RDP, which can expose confidential systems to the public internet.

Dr. Johannes Ullrich, SANS fellow and Dean of Research at the SANS Technology Institute, explains further: The number of source IP addresses attackers used to scan the internet for RDP raised by about 30% during March, from an average of 2,600 attacking IP addresses to nearly 3,540 each day in March. RDP is not a protocol that is strong enough to be exposed to the internet. Consequently, we are now seeing attackers actively trading weak credentials which they have identified for these RDP servers. A compromised RDP server can lead to an entire compromise of the exposed system and will likely be used to attack and exploit additional systems within the network.

Remote Desktop Protocol (RDP) is a protocol developed by Microsoft, which offers users with a graphical interface to link to another computer over a network connection. It is an affordable and easy way for companies to allow remote working for employees. The user employs RDP client software for this purpose, while the other computer must run RDP server software.

For organisations that have implemented RDP, Ullrich stated that, Use unique, long, and random passwords to secure your RDP servers, and if possible, only provide access via a VPN. Microsoft also provides RDP Gateway, which can be used to enforce strong authentication policies. You may strive to limit access to RDP from specific IP addresses if you are not able to enforce a VPN right now, but this may be difficult if your administrators are presently working from home with dynamic IP addresses.

Alternative choice is to use a cloud server as a jump-off point, Ullrich continued. Whitelist the cloud server and use secure protocols like SSH to connect to the cloud server. This strategy may work as a quick fix if you do not want to risk downtime while everybody is working remotely. Many organisations are presently not willing to risk a loss of access to business-critical systems. Altering remote access and firewall rules may lead to a loss of access that, in some cases, can only be restored by on-site personnel.

Recognising that coronavirus has made organisations across the globe to transition their workforce away from an office to work-from-home environment, and that many organisations lack the policies, resources, or training to enable their people to do so securely, SANS released the Securely Working from Home Deployment Kit on March 16. This free kit offers organisations with a step-by-step guide on how to quickly install a training program for their remote staff. All training materials and resources needed to secure a remote, multi-lingual workforce are included in the kit.