Remote Desktop Brute force attacks, are you at risk?

Remote Desktop is a very useful way of accessing your company network whilst working away from the office. But... it can also expose your network to hackers.

We were called by a local company and asked to come in and take a look at their systems with a view to providing on-going support. One key issue the client mentioned was that their Internet access seemed very slow and their current IT supplier had run out of ideas why.

A quick check in the Event Logs on their servers and we discovered HUNDRED OF THOUSANDS of failed logon attempts. This was a Remote Desktop Services server and was sat, with no thought to security, waiting for ANYONE on the Internet to have a go a logging on.

A Brute Force attack was happening on their server. A Brute Force attack is when a system is bombarded with logon attempts trying to guess a working username and password combination.

Logons were attempted around 3 time a second and had been happening for at least 5 days (we’ve no idea when it started as their Event logs only want back this far…)

3 logons a second, is that a lot?

180 a minute

10,800 an hour

259,200 a day

1,814,400 a week

A Brute Force attack is when a system is bombarded with logon attempts trying to guess a working username and password combination.

There was...

  • No Firewall policy in place to lock down the locations where people could RDP in from!
  • No initial VPN facility!
  • No User Account lockout policy to suspend any accounts where the attack did get the username right!

Once we locked down the system and made changes to the setup to ensure only genuine users could attempt to logon their systems were running much smoother.

This company was lucky, they felt the effect of the attack before it was successful. Had they have not noticed the Internet being a little slow and done something about it then eventually a correct username and password would have let the attackers in…..

Once in they could have stolen huge amounts of information, or more likely just installed Ransomware on the system and locked them out of all their data……

If you have any concerns over how your Remote access may work give us a call and we can take a look for you.