Key Points
- Exploiting poorly managed remote services—including Remote Desktop Protocol (RDP)—is the third most observed technique used by threat actors.
- Endemic security issues persist with the use of RDP, as many organizations continue to rely on weak, default credentials and unnecessarily expose their RDP to the internet. This leaves these systems susceptible to brute-force attacks.
- Threat actors can easily identify exposed RDPs using simple searches and enumeration techniques. This has made RDP exposure a frequently used technique by cybercriminals and nation-state attackers, providing an easy-to-exploit and consistent foothold onto target networks.
- RDPs will highly likely continue to be exploited in the medium-term future (3-6 months). Security professionals need to take steps to harden their use of RDPs, including avoiding weak/default credentials, introducing rate limiting on logins, and limiting the exposure of RDPs to the internet.
During a Remote Desktop Protocol (RDP) brute-force attack, an attacker systematically tries numerous username and password combinations to gain unauthorized access to systems via RDP. This method exploits weak or default credentials and often successfully breaches poorly secured .
We have observed that targeting remote services, including RDP, is one of the most common initial access methods among all attacks against our customer base. An analysis of customer true-positive incidents from January 1 to August 31, 2024 revealed that targeting external-facing remote services was the third most prevalent technique used by adversaries.
RDP brute-force attacks have two main consequences for businesses. First, attackers can gain full control over the compromised systems, allowing them to steal data, deploy malware, or use the systems as a launchpad for further attacks. Second, the sheer volume of brute-force attempts can overwhelm network resources and system performance, causing disruptions and potential downtime for legitimate users.
This report explains the prevalence of RDP brute-force attacks, explores the tactics, techniques, and procedures (TTPs) involved, and provides practical recommendations for security teams to mitigate these risks effectively. By proactively implementing the measures provided organizations can stay ahead of threat actors conducting RDP brute-force attacks.
RDP: An Easy Gateway for Initial Access
Threat actors target RDP for easy initial access to networks and to facilitate further malicious activity like lateral movement. Several key factors contribute to RDP’s prevalence as an easy entry point for attackers.
Ubiquity across and regions: RDP is widely adopted across various industries and locations for its convenience in providing remote access and system management. It is cost-effective, has a user-friendly interface, and integrates with both Mac and Windows operating systems. Additionally, sectors with a higher demand for remote workers benefit greatly from remote services. The widespread use of RDP for remote access to Windows systems in particular—which is the most common operating system used in business—means that cybercriminals have a vast number of potential targets. This increases their chances of finding vulnerable systems with weak security measures, which are easier to gain access to. The expansion of remote working has increased the number of potentially exposed RDP connections as more businesses rely on RDP for employees to access corporate networks, often without adequate security measures.
Figure 1: Shodan search showing identifiable instances of RDP
Frequency of weak and default credentials: Weak or default RDP credentials make it significantly easier for attackers to successfully brute force their way into systems. However, it is unclear why RDP is so often mismanaged. Administrators may be unaware of the risks associated with insecure RDP due to a lack of cybersecurity training, the absence of robust monitoring systems, and/or an underestimation of the threats posed by exposed RDP ports and weak authentication practices.
Weak credentials allow adversaries to gain access quickly and with minimal effort, enabling them to infiltrate networks, steal sensitive data, deploy malware, and take control of critical infrastructure. The ease of exploiting weak credentials makes RDP attacks a highly attractive and efficient method for cybercriminals to achieve their malicious objectives.
Easy identification: Many RDP ports are exposed to the internet (either deliberately or via misconfiguration), allowing attackers to quickly scan for and identify open RDP ports using automated tools. Once identified, these exposed ports can be subjected to brute-force attacks or other exploitation techniques. A Shodan search of port:3389 (the assigned port for RDP) identified over 4.4 million instances globally of exposed RDP (see Figure 1). Using this information, threat actors can easily perform more creative searches to find exposed RDPs for their network of choice or conduct attacks opportunistically. Exposing this port unnecessarily is a significant risk. The port should be secured by a combination of security methods, such as behind a virtual private network (VPN) and a firewall. Failing to do so will leave your RDP vulnerable to detection by unauthorized actors.
Automation: Botnets and automation tools enable threat actors to efficiently scan large numbers of IP addresses for exposed RDP instances and systematically attempt thousands of password combinations. This automated approach increases the speed and scale of their attacks, significantly enhancing their chances of identifying and exploiting vulnerable systems.
Low Risk, High Reward: Successful RDP brute-force attacks can provide attackers with direct access to internal networks, sensitive data, and critical systems, making RDP a lucrative target. These attacks can be launched easily and inexpensively, and even if an attack is mitigated, the attacker can still find numerous exposed RDPs to simply try again.
For all the reasons mentioned above, RDP remains one of the most common entry points to targeted networks and provides significant opportunities to threat actors, including gaining unencumbered initial access that can be used for data exfiltration, espionage, or deploying malware, like ransomware. Even technically unsophisticated threat actors can easily exploit vulnerable RDPs, making such attacks very accessible.
We frequently observe initial access brokers (IABs) selling access to compromised networks that have been obtained through RDP brute-force attacks. In Figure 1, for example, a vendor on a Russian-language cybercriminal forum is offering access to ten compromised networks in the manufacturing, business services, and construction sectors in the US or EU, the access to all ten compromised networks being gained via RDP brute-forcing. The relatively low price for this access bundle—$2,500 for ten access instances—reflects the privilege level of the compromised accounts, i.e., accounts of local users with restricted privileges. Threat actors can purchase these basic accounts cheaply and then elevate privileges to move laterally within a network and progress their attack.
Figure 2: Brute-forced RDP accesses for sale on Russian-language cybercriminal
Many vulnerable RDP instances are misconfigured, exist as shadow information technology (IT), or suffer from inadequate monitoring tools. As a result, they often reside on parts of the network that are outside the visibility of network defenders. Compromising RDP on a poorly managed or unknown segment of the network could grant an attacker persistent access that remains undetected for months. These factors make RDP one of the highest risks for enterprises and a critical technology for organizations to manage. Enhancing network visibility through effective detection and response systems can significantly improve threat detection and greatly reduce Mean Time to Contain (MTTC), preventing potential impact.
RDP Brute-Force TTPs
Understanding the TTPs associated with RDP brute-forcing is essential for improving resilience to attacks, as these methods outline how threat actors commonly target and compromise systems. RDP brute-forcing typically involves the following steps:
1. Reconnaissance: identifying targets with exposed RDP ports; this can be achieved through tools like Nmap or Masscan to conduct port scanning, commonly on port 3389.
2. Enumeration: gathering detailed information on the target; techniques such as service banner grabbing, vulnerability scanning, or username harvesting are employed to build a profile of the target system.
3. Brute-Forcing: gaining access by trying various username and password combinations; attackers often use password lists like RockYou2024 in combination with automated brute-force tools such as Hydra or Medusa.
During this stage, threat actors may also use rainbow tables—precomputed tables of hashed passwords—to quickly reverse-engineer hashed password data, making it easier to guess plaintext passwords. To bypass rate-limiting measures, attackers might rotate IP addresses or employ low-and-slow approaches to avoid detection.
4. Gaining Access: Once valid credentials are found, attackers log in and establish persistence by creating new accounts or installing backdoor malware.
5. Post-Exploitation: exploiting the compromised system to further conduct malicious activity, such as data theft, deploying malware, or using the system as a launchpad for additional attacks.
6. Monetization: converting compromised access into financial gain; this could involve selling access on dark web forums, deploying ransomware, or stealing sensitive data for resale.
The typical steps taken by an attacker attempting an RDP brute-force attack are not sophisticated and can be easily executed by even lesser-skilled adversaries. This issue is further exacerbated by the widespread availability of RDP brute-forcing tools. Tools such as Hydra, Medusa, and Nmap, along with comprehensive password lists like RockYou2024, are easily accessible on various platforms. These tools and resources are often shared on cybersecurity and hacker forums and GitHub repositories. Additionally, novice threat actors can easily engage in RDP brute-forcing, making it attractive to those seeking to compromise systems with little effort. Taking the path of least resistance, i.e. exploiting the easiest and most vulnerable point in a target’s defense, will always be the preferred option for threat actors, and RDP is a vulnerability that threat actors will continue to frequently exploit.
Threat Groups Targeting RDP
Due to simple identification and exploitation, RDP brute-force attacks are favored by both nation-state-associated and cybercriminal groups. Both types of threat groups exploit the ubiquity of RDP, the prevalence of weak credentials, and the frequent lack of robust monitoring to conduct their attacks.
Cybercriminal Groups
Cybercriminals conduct RDP brute-force attacks to infiltrate networks, steal sensitive data, deploy ransomware, and conduct other malicious activities. Once inside a target network, they can encrypt critical data and demand hefty ransoms for decryption keys. Ransomware is the biggest threat facing businesses in 2024, with a successful attack likely to result in significant operational, regulatory, and financial ramifications. For example, in March of 2024, the “MakOp” ransomware group reportedly used the NLBrute brute-forcing tool to facilitate initial access via RDP and also used RDP to move laterally within targeted organizations’ networks.
- NLBrute is a widely used brute-force attack tool designed to crack RDP credentials. It systematically attempts various username and password combinations to exploit weak or default credentials.
ReliaQuest’s collection of content from chat messages, forums, criminal marketplaces, or dark-web sites reveals a consistent interest among threat actors in targeting RDP over the past 12 months. Previous research conducted by ReliaQuest identified RDP as the most popular access type, selling for the highest prices among IAB listings. RDP on average sold for approximately $10,000, thereby underscoring the value of RDP to cybercriminals.
Nation-State-Associated Threat Groups
These groups often target RDP for motives that are distinct from those of cybercriminals, such as espionage, sabotage, and strategic advantage. While a cybercriminal can quickly monetize or exploit their access via RDP, a nation-state group can use it to establish a more permanent foothold on the target network. These groups aim to infiltrate government agencies, critical infrastructure, or high-value corporate targets to gather intelligence or disrupt operations. For instance, advanced persistent threat (APT) groups linked to countries like Russia, China, and Iran have reportedly used RDP brute-force attacks in their campaigns. The access gained through these attacks allows the groups to move laterally within the network, exfiltrate sensitive information, and maintain a long-term presence for ongoing intelligence operations, underscoring the significant threat posed by RDP brute-forcing.
State-sponsored actors are particularly dangerous due to their sophistication and the resources available to them, enabling them to bypass conventional security measures and remain undetected for extended periods. This prolonged access allows them to conduct extensive data exfiltration, espionage, and disruption of critical infrastructure. These actors often have access to cutting-edge technology and specialized skills, making their attacks more targeted and difficult to defend against. Nonetheless, if possible, they will still use simple but effective techniques like RDP brute-forcing. The implications of such intrusions are far-reaching, affecting national security, economic stability, and public trust in digital systems.
Case Study: Russia-Linked RDP Brute-Force Attack
In April of 2024, ReliaQuest responded to a “Successful Brute-Force” detection from four IP addresses. Analysis revealed an RDP brute-force attack targeting a specific host, which ReliaQuest quickly isolated. An IP address that was linked to Russia accessed a host and established remote desktop connections. Devices were then configured to the host, including a Plug and Play (PnP) device categorized as a Microsoft Remote Display Adapter, followed by a Generic Non-PnP monitor. The threat actor also attempted to migrate user profiles from Internet Explorer to Microsoft Edge. However, ReliaQuest did not detect any other malicious findings or indicators of compromise (IoCs) affecting the user, indicating that user integrity remained intact. After isolating the host, ReliaQuest revoked active sessions, conducted comprehensive scans to verify the absence of any residual malicious activity, and temporarily disabled the user as a precautionary measure before rotating the user’s credentials.
The migration of user profiles to Microsoft Edge indicates the attacker positioning themselves for credential harvesting and capturing browser-related data. It is difficult to determine the exact intent behind the harvested credentials, but the credentials could have been used for the attacker’s malicious activities or sold to third parties. ReliaQuest commonly observes credentials harvested from browsers for sale on both IAB listings and automated vending cart (AVC) websites like Russian Market.
Alternatively, if the attacker aimed to facilitate long-term access on the compromised host, it is realistically possible that the profile migration was intended to establish a more persistent presence. By using a browser that the legitimate user may not actively use, the attacker could avoid detection. The connection of a Microsoft Remote Display Adapter suggests attempts to either enable a more seamless and responsive remote experience or to circumvent security measures that are less effective against remote display sessions.
This case study serves as an example of the importance of proactive defenses. In this instance, early detection enabled a swift response and avoided a potentially impactful threat, highlighting the importance of a fast MTTC to mitigate threats before they cause any damage.
Forecast
Evolution of Methodology
As remote work continues to proliferate and remote desktop access remains a critical tool for businesses, we anticipate that attackers will significantly evolve their brute-force attack methods. Threat actors will highly likely adopt more advanced and sophisticated techniques to evade detection and enhance the effectiveness of their attacks. This will probably include leveraging artificial intelligence (AI) and machine learning to optimize password-guessing algorithms and to identify patterns that increase the likelihood of success.
Instead of broad, opportunistic attacks, we expect threat actors to increasingly focus on high-value targets, such as critical infrastructure, financial institutions, and large enterprises. These targeted attacks will be more meticulously planned and executed and aim for higher rewards. As a result, attackers may shift from randomly targeting RDP instances identified by scanning tools to seeking greater output from their efforts.
Chrome RDP: A New Tool for Attackers
Chrome RDP, a browser extension that enables users to access remote desktops through Google Chrome, has emerged as a new tool in the arsenal of threat actors conducting RDP brute-force attacks. By leveraging Chrome RDP, attackers can exploit the convenience and ubiquity of web browsers to launch brute-force attacks more discreetly. They can target browser vulnerabilities or employ phishing tactics to obtain user credentials and then use the extension to gain access to remote systems. This method allows cybercriminals to bypass traditional security measures that are designed to protect standalone RDP clients. We assess that targeting Chrome RDP in this manner is likely to continue in the medium-term future (3-12 months).
Regulatory and Policy Changes: A Path to Enhanced Security
Regulatory and policy changes could significantly improve resilience to RDP brute-force attacks: governments and regulatory bodies could introduce stricter guidelines and compliance requirements for remote access security—much in the same way multi-factor authentication (MFA) is being universally advised. This may encourage organizations to adopt stronger security measures and conduct regular audits to protect against RDP brute-force attacks. Continued high-profile incidents involving RDP brute-forcing could result in regulatory changes aimed at enhancing security.
What ReliaQuest is Doing
To identify RDP brute-force attacks, ReliaQuest offers a selection of detection rules to their customers that are deployed by ReliaQuest GreyMatter. To remediate these attacks, associated respond playbooks can be executed by ReliaQuest customers or by the ReliaQuest team on the customer’s behalf. For faster containment and remediation, some response actions can be automated, such as blocking unauthorized remote software.
Recommendations
Given the inherent risks associated with RDP, it is crucial to robustly manage and continuously monitor this technology to detect any instances of misuse. ReliaQuest recommends taking the following steps to stay protected.
- Limit Exposure to the Internet: Configure your network to ensure that RDP services are not directly accessible from the internet. This will greatly reduce the likelihood of threat actors discovering the RDP through enumeration techniques. Use firewalls to block external access to port 3389 or any other custom port used for RDP. Restrict RDP access to internal networks or use a VPN to significantly reduce your attack surface to make it harder for attackers to discover and target your RDP endpoints.
- Avoid Weak/Default Credentials: Enforce strong password policies that mandate the use of complex, unique passwords for all RDP accounts. Regularly audit accounts to ensure that default credentials are not in use. Weak and default passwords are easily exploited by brute-force attacks, so to avoid attackers easily gaining unauthorized access to RDP through brute-force methods, implement strong, unique passwords and regularly audit accounts to mitigate this risk.
- Limit RDP Access with Network-Level Authentication (NLA): Enable NLA to require users to authenticate before a full RDP session is established. Additionally, restrict RDP access to specific IP addresses or through a VPN. This adds an extra layer of security by ensuring that only authenticated users can initiate an RDP session. Limiting access to known IP addresses or requiring VPN access greatly hardens authentication measures.
- Rate Limiting: Configure rate limiting on your RDP server to restrict the number of login attempts from a single IP address within a specified time period. For example, limit login attempts to five per minute per IP address. This helps to thwart brute-force attacks by slowing down the attacker’s ability to rapidly guess passwords. By imposing delays after a certain number of failed attempts, it becomes impractical for attackers to continue their brute-force efforts, significantly reducing the likelihood of successful access.
- Monitor and Alert on Suspicious Activity: Use advanced monitoring and logging tools to detect and alert on unusual RDP activity, such as multiple failed login attempts, logins from unfamiliar locations, or logins at unusual times. Real-time monitoring and alerts enable rapid detection and response to potential brute-force attacks, allowing security teams to take immediate action to investigate and mitigate the threat. This can assist in improving Mean Time to Detect (MTTD)—a critical metric that measures the average time taken to identify a threat. Faster MTTD is crucial for faster response times, which in turn reduces potential damage and mitigates the overall impact of security breaches.
- Deploy Account Lockout Policies: Configure account lockout policies to temporarily disable user accounts after a certain number of failed login attempts. For example, lock the account for 15 minutes after five failed attempts. This helps to prevent brute-force attacks by slowing down the attacker’s ability to guess passwords, making it impractical to continue the attack without being repeatedly locked out.