By Chris Morales, head of security analytics at Vectra

Remote Desktop Protocol (RDP) is an invaluable tool for any business wanting to save money and create efficiencies through centrally controlling all its computer assets no matter how far away or isolated. However, such a capability is also a tempting prospect for cybercriminals looking to exploit the system for their own gains, with Vectra research highlighting that malicious RDP behaviors are experienced by nine out of ten organizations.

The research also reveals which industries and size of organizations have the most RDP detections, along with examples of how cybercriminals and state-sponsored actors are using RDP.

Why is RDP so attractive?

Traditionally, a business that wanted to fix issues on its computers that were situated away from its central offices had two choices; either send out engineers to resolve the issue or have them permanently stationed locally. Neither option is ideal with a call out costing in the region of US$2,200, while having an engineer based on a remote site is unlikely to be cost-effective. Further, as more than 60 percent of machine issues can be fixed remotely, it is no wonder more and more companies are turning to RDP. Using the protocol, one engineer can do the work of a whole team without the need to leave a central control room through being able to potentially access and control every computer on the network.

However, it is this very capability that makes infiltrating an organization’s RDP so attractive for threat actors, enabling them to cause chaos without being detected. No wonder the FBI has warned that such activity has been on the rise since mid-late 2016.

Industries under threat

According to our research, manufacturing was the most targeted sector for malicious RDP behaviors, accounting for 20 percent of incidents monitored across nine industries, followed by finance and retail. Manufacturing also accounted for the highest number of RDP Recon and Suspicious Remote Desktop activities observed.

An RDP Recon incident is when several failed attempts to establish an RDP connection are detected, potentially indicating that a threat actor is trying to access a system using different login combinations or is looking to identify active accounts. Conversely, Suspicious Remote Desktop is activated when unusual characteristics are detected following a successful RDP connection, such as an RDP server that is usually logged into using English keyboard inputs, is accessed by someone using a German keyboard.

In relation to the size of an organization experiencing RDP attacks, medium manufacturing firms topped the list with large manufacturing businesses also making the top ten. Medium retailers and medium financial institutions also witnessed high levels of malicious RDP behavior. As a whole, medium organizations experienced the most RDP detections with 6.9 per 10,000 workloads or devices, small organizations had 6.5, while large businesses had 4.5.

There are two factors worth considering when looking at these numbers. First is that the size of the company in relation to the number of employees is not indicative of a number of devices. For example, manufacturing has significantly more connected devices than workers. The second is that larger organizations are likely to have greater resources focused on countering cyber threats.

Using RDP to attack

RDP has been used in many cyberattacks recently, the most notable of which is SamSam. This hacking and extortion scheme affected more than 200 organizations, enabling the perpetrators to amass US$6 million in ransom payments and inflict US$30 million of damage. Through RDP the threat actors were able to carry out privilege escalation, malware infection and execute files without user authorization or action.

State-sponsored actors are also using RDP to commit espionage and sabotage. Take APT40, a threat actor cell identified by FireEye as supporting China’s naval ambitions for modernization. The group uses RDP to move laterally through the networks of organizations involved in the development and production of naval technologies to steal data, carry out reconnaissance and execute malware.

FireEye research also points to a threat actor group using RDP to carrying out clandestine operations on behalf of Iran, called APT39. The group leverages RDP against targets in the Middle East, Europe, and the United States to facilitate movement and long-term access to a network to gather information and cause sabotage.

Mitigating the risk of RDP attacks

While there are significant risks of threat actors maliciously using RDP to gain access to a network, businesses around the world find it invaluable for their day-to-day operations, seeing the benefits far outstripping any danger.

Therefore, those continuing to use RDP must look to mitigate these risks. This can be achieved through limiting RDP access to only those that need to use it and employing strong credential and authentication policies. This includes stipulating that employees must use their own unique username and password when accessing the RDP. Such a move should ensure that unauthorized people do not get their hands on RDP credentials and help to identify the source of any cyberattack.

To further protect their networks, businesses need to be able to quickly detect and deal with those cyberattacks that target RDP. This can be achieved by putting in place solutions that can monitor remote access behaviors to determine whether or not the network has been infiltrated and then enable a response if necessary.

In this way, a business can be sure that their useful RDP tool continues to benefit them instead of being used as an attack vector by cybercriminals.

About the Author

Chris Morales, head of security analytics at Vectra.  Christopher Morales is Head of Security Analytics at Vectra, where he advises and designs incident response and threat management programs for Fortune 500 enterprise clients. He has nearly two decades of information security experience in an array of cybersecurity consulting, sales, and research roles. Christopher is a widely respected expert on cybersecurity issues and technologies and has researched, written and presented numerous information security architecture programs and processes.

Chris can be reached online at and at our company website