Microsoft’s Remote Desktop Protocol (RDP), a popular tool among IT system administrators, is an increasingly attractive method of attack that allows cybercriminals to remain undetected, according to cybersecurity firm Vectra.

RDP, which has been around since 1996, is used by IT system administrators to control and manage remote computers.

However, when these tools are misconfigured, malicious hackers can use them to perform reconnaissance, move around the network undetected, before exfiltrating data or delivering a harmful payload.

Between January and June this year Vectra, which uses artificial intelligence to spot suspicious activity on a network, detected 26,800 “suspicious” RDP behaviours among its customers, spread across more than 350 deployments.

According to Vectra, 90% of these organisations showed signs that RDP was being used as an attack method.

“Things like Remote Desktop are so prevalent, and it’s pervasive across industry,” said Chris Morales, head of security analytics at Vectra. “It’s a file-less attack. They’re no longer using malware, they’re no longer doing things that can be discovered. They’re now using backend administrative systems that clearly exist everywhere.”

How well do you really know your competitors?

Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.

Company Profile – free sample

Thank you!

Your download email will arrive shortly

Not ready to buy yet? Download a free sample

We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form

By GlobalData
Visit our Privacy Policy for more information about our services, how we may use, process and share your personal data, including information of your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.

Because the attack method exploits a legitimate administrative tool, it makes detection more difficult. Or, as Morales puts it: “They’ve managed to reduce the noise of lateral movement from what it used to be.”

RDP: The ransomware risk

Morales added that the exploitation of administrative management tools could be at paly in the current spate of ransomware attacks in the US, in which local governments, such as Texas, have been crippled.

“The whole thesis I have is that ransomware works because attackers have pivoted to using administrative management tools that exist everywhere,” Morales told Verdict. “And they now know how to tap into that.”

Cybercriminals can use freely available tools to scan for devices that have RDP exploits and then execute the attack, he explained.

One previously documented RDP exploit is BlueKeep, which was first documented in May this year by the UK’s National Cyber Security Centre. Microsoft has since released patches to mitigate against BlueKeep.

Organisations most targeted

The most RDP detections were observed among manufacturing and finance organisations. Following them was retail, government and healthcare.

Manufacturing, finance and insurance, and retail accounted for just under half of all RDP detections.

Organisations can defend against RDP attacks by limiting access to remote desktop management and making sure that only those who really need access to it have it. In addition, they can use strong authentication and monitor for suspicious behaviour.

The findings, published in the Vectra 2019 Spotlight Report on RDP, were based on an analysis of Vectra’s data from in the 2019 Black Hat Edition of the Attacker Behaviour Industry Report.


Read more: Targeted ransomware attacks on the rise as ‘spray and pray’ attacks decline