Threat Actors Abuse RDP
Category: Threat Actor Activity | Industry: Global | Level: Tactical | Source: Cyble
Researchers from Cyble Research and Intelligence Labs (CRIL), highlight the risks of exposed RDP ports, leveraged by threat actors to gain access and compromise targeted networks. Threat actors can easily exploit this attack vector by scanning the internet for open ports or gaining access using stolen credentials. Systems in the United States and Russia were found to have the most exposed RDP instances. Ransomware families targeting vulnerable RDP configurations include Daixin Team, MedusaLocker, Redeemer, NYX, BlackHunt, Vohuk, and Amelia. From tracking attacks against RDP, Cyble observed "Over 4,783,842 exploitation attempts were made in 3 months, with a peak in exploitation attempts being observed in September end and mid-November, as shown in the figure above. The majority of attacks originated from the United States, South Korea, Netherlands, India, and Vietnam." Cybercrime forums are also, increasing the risk of RDP access with an abundant amount of credentials available for sale to be used against a wide variety of verticals like critical infrastructure, government, manufacturing, and telecommunication companies.
Anvilogic Use Cases:
- RDP Logon/Logoff Event
- RDP Connection
- Successful Login From Public IP Address