Data from over 45,000 devices and workstations that ran “Microsoft Defender Advanced Threat Protection” (commercial version of the free Defender anti-virus app) was acquired in terms of RDP login related acts.
According to reports, both failed and successful attempts at RDP login was part of the data collected for the detailed study that spread across numerous months of dedication.
Reportedly, the aforementioned successful and failed events include Windows events with ID 4264 and 4265, correspondingly. The usernames that the attackers or users may have used were also collected.
Per sources, RDP, Remote Desktop Protocol happens to be a feature of the Windows operating system that enables the users to log into a “remote computer” or device by way of an interface that looks much like a desktop, by means of the computer’s public IP address and port 3389.
Businesses and organizations usually make use of RDP and its provisions to manage servers, workstations and other connected devices in remote areas. It’s easier for the administrators and employees alike to work that way.
Brute force attacks have been pretty common on Windows devices especially via open RDP ports. Automated tools that the hackers use help them to create various combinations of passwords and usernames to figure out the target computer’s RDP login details.
Simple and basic combinations stand at the top of the hit list. The password and usernames combinations that have previously been leaked on the dark web are also used the most.
Where on an average these brute force attacks last for 2 to 3 days, in 90% of the cases, as the reports have found out, the attacks last for around a week.
According to the study reports the attacks spread across days because the hackers were trying out selected combos per hour rather than blindly shooting combos.
This clearly helped the attackers dodge the chances of their attack Internet Protocols getting banned by the firewalls.
Microsoft, according to sources, also mentioned that “0.8% of the devices that were attacked by the brute-force attacks were compromised. Also, that on an average a machine was expected to have a high probability of being compromised leading to an RDP brute force attack every 3-4 days”.
Per sources it’s imperative to look for the following things in a sign-in attempt:
Event ID 4625 login type
number of other devices with RDP inbound connections from one or more of the same IP
number of failed sign-ins
Event ID 4625 failure reason
The number count of a username and the times it failed to log in
number of RDP inbound external IP
an hour and the day of the failed sign-in
RDP connections
Timing of successful sign-in attempts
To secure your device from such attacks, it’s supremely essential to monitor unknown connections and failed sign-in attempts.