sb-nz logo
Story image

Report: Brute-force attacks feed on remote working vulnerabilities

30 Jun 2020

Brute-force attacks have risen significantly in correlation with the widespread impacts of the COVID-19 pandemic according to ESET,  which has tracked the trend by measuring the frequency with which it has blocked such attacks.

The United States, China, Russia, Germany and France topped the list of countries with most IPs used for brute-force attacks, the cybersecurity company says.

The trend is yet another indicator of the opportunism of cyber criminals, especially ransomware operators, who are seeking to exploit the shift to remote working and the vulnerability of security infrastructures buckling under pressure.

“Before the lockdown, most employees worked from the office and used infrastructure monitored and controlled by their IT department,” says ESET security research and awareness specialist Ondrej Kubovič.

“But the coronavirus pandemic has brought a major shift to the status quo. 

“Today, a huge proportion of ‘office’ work occurs via home devices, with workers accessing sensitive company systems through Windows’ Remote Desktop Protocol (RDP), a proprietary solution created by Microsoft to allow connecting to the corporate network from remote computers.

“Despite the increasing importance of RDP, as well as other remote access services, organisations often neglect its settings and protection,” says Kubovič.

“Employees use easy-to-guess passwords, and without additional layers of authentication or protection, there is little that can stop cybercriminals from compromising an organisation’s systems.”

Using its telemetry capabilities, ESET discovered most of the blocked IPs in January–May 2020 were seen in the United States, China, Russia, Germany and France. Countries that had the largest proportion of targeted IPs were Russia, Germany, Japan, Brazil and Hungary.

The usage of RDPs has been one of the major contributors to the general increase in security risk profiles for organisations with remote workforces. 

It has become a popular attack vector in the past few years, especially among ransomware gangs. These cybercriminals often brute-force their way into a poorly secured network, elevate their rights to admin level, disable or uninstall security solutions, and then run ransomware to encrypt crucial company data.

Still other cyber attackers may instead take advantage of an unsecured RDP to create coin-mining protocols or create backdoors, which can then be used in case their unauthorised RDP access has been identified and closed.

The research from ESET comes only a week after the company reported a coordinated spear-phishing campaign which leveraged persuasive LinkedIn messaging as its lure.

The LinkedIn message describes a believable job offer, seemingly from a well-known company in a relevant sector. Files were sent directly via LinkedIn messaging or via email containing a OneDrive link.

ESET researchers later discovered that such LinkedIn profiles were fake, and the files sent were malicious.