2 min

Tags in this article

, , , ,

Sophos informs Techzine that it has identified patterns used by hackers in Remote Desktop Protocol (RDP) attacks. In the past year, this technique was used in two major ransomware attacks, namely SamSam and Matrix.

The reason for the study is the recent publicity surrounding an error in the remote RDP code BlueKeep, says Matt Boddy, security specialist at Sophos: This vulnerability is so serious that it can be used to trigger ransomware outbreaks that can spread throughout the world in no time. However, RDP threat protection goes much further than patching against Blue Keep; it’s just the tip of the iceberg. In addition to taking care of BlueKeep, IT managers need to spend much more time on RDP. Our research shows that cybercriminals are investigating all potentially vulnerable computers that RDP exposes 24/7 with password attacks.

The study, which is now freely available, shows three patterns with which hackers try to find RDP equipment as soon as it appears online. With ten honeypots that Sophos has scattered geographically, the company has tried to map out the risks of the RDP. The research shows that all ten honeypots were able to welcome their first login attempt within one day. Remote Desktop Protocols also expose pcs to attacks in just 84 seconds. In addition, an average of one attempt per six seconds was measured for a total of 4,298,513 login attempts over 30 days. The research shows that hackers use their own techniques for these attacks, and not necessarily only use third party sites.


The research also shows that three common attack patterns can be identified. First, there is the ram, a strategy that tries to reveal the password of the system administrator. For example, an Irish honeypot was attacked more than 100,000 times within ten days with only three usernames. Second, there is the swarm, a strategy that uses sequential usernames and a finite number of the worst passwords. Think of using the name ABrown, then BBrown, CBrown, and so on. Thirdly, there is the hedgehog, a technique that alternates high peaks of activity with periods of inactivity. Each spike is then launched from a different IP address.

According to Sophos, the number of RDP attacks is growing enormously, and companies should focus on reducing this practice where possible. In addition, the company believes that it is more important than ever to have a comprehensive password policy in place and to use the right security protocols.

This news article was automatically translated from Dutch to give Techzine.eu a head start. All news articles after September 1, 2019 are written in native English and NOT translated. All our background stories are written in native English as well. For more information read our launch article.