ESET Company reported about the growth of brute force attacks. During the pandemic and the transition of companies to the home office mode, the number of attacks reached 100,000 per day.
Researchers explain that before the changes caused by the coronavirus pandemic, most organizations functioned under the control of the IT department. Now, many of them provide employees with remote access to the corporate network and sensitive data from home devices using RDP.
As a result, a security hole appeared. Staff often use weak passwords that are easy to pick up, which means that the network is becoming more vulnerable to cybercriminals. The problem is compounded by the lack of additional protection in the form of two-factor authentication.
According to ESET, between December 2019 and February 2020, between 40,000 and 70,000 daily attacks could be observed. The upward trend emerged in February, when the number of brute force attacks reached 80,000.
Since then, the values have steadily increased and exceeded 100,000 in April and May, that is, when most countries with a large number of patients with COVID-19 were forced to quarantine measures, and the business massively switched to remote work.
According to the telemetry collected by ESET, in January-May 2020, most of the blocked IP addresses from which the attacks were carried out were found in the USA, China, Russia, Germany and France. Russia ranked first in terms of the number of unique attacks detected by ESET. Further in the ranking are Germany, Japan, Brazil and Hungary.
However, unauthorized access to the organization’s systems is only the first step, which is usually followed by more serious actions by hackers. So, RDP has become a popular vector of attacks, especially among hack groups that distribute ransomware.
Attackers often try to infiltrate a poorly protected network, gain administrator rights, disable or remove security solutions, and then run malware to encrypt sensitive corporate data. In addition, criminals can install a miner and even create a backdoor that will work even if unauthorized access to RDP is detected and terminated.