In a recent post, Microsoft offered some details on RDP brute-force attacks. According to Redmond, the average attack time for RDP's is 2-3 days, while only 0.08% of attacks are successful. Microsoft's information follows a study the company has conducted to find how RDP brute-force attacks harm the enterprise market.
To achieve its results, Microsoft collected data from RDP login events across over 45,000 workstations that have the company's Defender Advanced Threat Protection on board. To get a clear picture of the RDP landscape, the company looked at both successful and failed events.
Remote Desktop Protocol (RDP) is a Windows tool that provides users with the ability to login to a remote computer. They can do this through a public IP address.
Organizations use RDP because it allows system admins to manage in-field machines remotely. Bad actors have increasingly found ways to exploit RDP and conduct attacks on Windows.
Such brute force attacks involve using automated malware tools that filter through username and password combinations. The goal is the attack to guess the target's login credentials. As you might expect, this is something of a lottery, which is why only 0.08% of attacks are successful.
When attacks are successful, it's usually because of two reasons: The user's information is too easy to guess or the credentials have been leaked through a previous breach and not updated.
According to Microsoft, RDP brute-force attacks last on average 2-3 days (around 90% under a week), and 5% for more than two weeks. This suggests attackers are will to play a long game in an effort to find credentials. Interestingly, hackers are only trying a few credential combinations per hour instead of bombarding a system.
“Out of the hundreds of machines with RDP brute force attacks detected in our analysis, we found that about .08% were compromised,” Microsoft said.
“Furthermore, across all enterprises analyzed over several months, on average about 1 machine was detected with high probability of being compromised resulting from an RDP brute force attack every 3-4 days,” the Microsoft research says.
“A key takeaway from our analysis is that successful brute force attempts are not uncommon; therefore, it's critical to monitor at least the suspicious connections and unusual failed sign-ins that result in authenticated sign-in events.”