sb-eu logo
Story image

Report: Brute-force attacks feed on remote working vulnerabilities

30 Jun 2020

Brute-force attacks have risen significantly in correlation with the widespread impacts of the COVID-19 pandemic according to ESET,  which has tracked the trend by measuring the frequency with which it has blocked such attacks.

The United States, China, Russia, Germany and France topped the list of countries with most IPs used for brute-force attacks, the cybersecurity company says.

The trend is yet another indicator of the opportunism of cyber criminals, especially ransomware operators, who are seeking to exploit the shift to remote working and the vulnerability of security infrastructures buckling under pressure.

“Before the lockdown, most employees worked from the office and used infrastructure monitored and controlled by their IT department,” says ESET security research and awareness specialist Ondrej Kubovič.

“But the coronavirus pandemic has brought a major shift to the status quo. 

“Today, a huge proportion of ‘office’ work occurs via home devices, with workers accessing sensitive company systems through Windows’ Remote Desktop Protocol (RDP), a proprietary solution created by Microsoft to allow connecting to the corporate network from remote computers.

“Despite the increasing importance of RDP, as well as other remote access services, organisations often neglect its settings and protection,” says Kubovič.

“Employees use easy-to-guess passwords, and without additional layers of authentication or protection, there is little that can stop cybercriminals from compromising an organisation’s systems.”

Using its telemetry capabilities, ESET discovered most of the blocked IPs in January–May 2020 were seen in the United States, China, Russia, Germany and France. Countries that had the largest proportion of targeted IPs were Russia, Germany, Japan, Brazil and Hungary.

The usage of RDPs has been one of the major contributors to the general increase in security risk profiles for organisations with remote workforces. 

It has become a popular attack vector in the past few years, especially among ransomware gangs. These cybercriminals often brute-force their way into a poorly secured network, elevate their rights to admin level, disable or uninstall security solutions, and then run ransomware to encrypt crucial company data.

Still other cyber attackers may instead take advantage of an unsecured RDP to create coin-mining protocols or create backdoors, which can then be used in case their unauthorised RDP access has been identified and closed.

The research from ESET comes only a week after the company reported a coordinated spear-phishing campaign which leveraged persuasive LinkedIn messaging as its lure.

The LinkedIn message describes a believable job offer, seemingly from a well-known company in a relevant sector. Files were sent directly via LinkedIn messaging or via email containing a OneDrive link.

ESET researchers later discovered that such LinkedIn profiles were fake, and the files sent were malicious.

Story image
Why DX is not complete without a transformed security architecture
Secure Access Services Edge (SASE) is the process by which core WAN edge capabilities like SD-WAN, routing, and WAN optimisation at branch locations are integrated with cloud-based security services like secure web gateways, firewall-as-a-service, cloud access security brokers, and more.More
Story image
Attivo Networks raises the stakes against 'Ransomware 2.0'
“Advanced human-controlled ransomware can evade endpoint security controls and after initial compromise, move laterally to cause maximum damage, do data exfiltration and encrypt data."More
Story image
CrowdStrike recognised as leading endpoint security vendor on global scale
IDC's report shows that CrowdStrike demonstrated a 2018-2019 growth rate of 99% and close to doubled its market share, while the market shares of the top three vendors in the corporate endpoint segment declined.More
Story image
Cyber attacks keeping business leaders up at night, new research finds
Data breaches and insider threats are keeping organisations up at night, according to new research from KnowBe4, the security awareness training and simulated phishing platform.More
Story image
Phishing attack exploited Samsung, Adobe servers for Office 365 credentials
The campaign used seemingly credible web domain names to lure its victims and bypass security filters, including from Oxford University, Adobe and Samsung.More
Story image
SonicWall expands offerings to cover distributed edge
Advances network edge security, adds multi-gigabit switch series, and easy-to-manage SD-branch capabilities.More