How Attackers Enter Remote Desktops & How to Get Safe?

by | Nov 27, 2022

New research has identified a large rise in the number of attacks targeting the Microsoft Remote Desktop Protocol (RDP) during the Covid-19 pandemic.

Businesses have gradually switched to Microsoft RDP as a way to help employees operate from home, with a device that allows remote staff to log in to their office computers and access business networks.

Consequently, the number of RDP ports linked to the Internet spiked almost from three million in January to four and a half million by the end of March this year, according to a recent study. However, this growth also led to a sharp increase in the number of dark web markets selling RDP credentials online.

What is RDP?

If you’re concerned about the RDP hack, it’s important to know what RDP is and whether your organization is already using it. RDP stands for Remote Desktop Protocol and is a remote-desktop platform that is pre-installed on all Windows PCs.

Companies ranging in scale from a handful of workers to thousands, all use RDP on a daily basis – most often for day-to-day operations. As Windows computers are the recommended devices in most industries, RDP is a widely used method for many companies.

Whether businesses use RDP to provide remote support or share files and data remotely, Microsoft’s RDP is a remote desktop preferred solution for many, precisely because it comes automatically installed. As a Microsoft-only product, RDP has some drawbacks when people and employees on your network are using Mac, iOS, or Linux devices (if you’re looking for more flexibility, check out Netop’s RDP alternative). But the biggest problem with RDP is how popular it is.

Hacking the RDP service of Microsoft

The Microsoft RDP service is allowed through the Microsoft Terminal Services Client (MSTSC) which then specifically loads the “mstscax” DLL from the “C:\Windows\System32” folder without providing necessary verification. As a result, attackers will overwrite this DLL with a malicious one when they have the Windows system administrator privileges, they need.

Another way to implement the attack is to drop the legitimate executable “mstsc.exe” in another user folder together with the malicious “mstscax” DLL. The executable does not use the complete path to load the dynamic library, so the DLL placed in the same folder with the dependent executable will be loaded first in compliance with the Windows search command mechanism. This strategy is close to that of DLL Side Loading and is known as DLL Search Order Hijacking.

For instance, in 2013, the DLL Side Load attack had been used in a nation-state cyber-attack against Pakistan, while Google Updater (a Google utility for downloading and upgrading Google Pack, a Google Bundle, and third-party applications and utilities) was used to load a malicious version of the “goopdate” DLL in the same folder. Upon executed by Google Updater, the evil “goopdate” DLL is decrypted and ran Win32/Darkshell.D backdoor on the victim’s device.

In both cases, executable loaders (mstsc.exe, GoogleTool.exe) were digitally signed by Microsoft and Google, helping attackers to circumvent antivirus defences.

The DLL Side Loading technique is known to be used by a number of malicious state-sponsored hacking groups to mount Advanced Persistent Threat (APT) attacks, including APT3 (attributed to China’s Ministry of State Security), APT19 (Chinese-based Threat Group), APT32 (Vietnam-based OceanLotus Group), and APT41 (another Chinese state-sponsored espionage group) as well as the famous PlugX Remote Processing.

Why is it hard to detect RDP hacks?

RDP is a network protocol that allows a person to remotely control a device that is connected to the Internet. The remote person sees something on the computer screen that they control, and their keyboard and mouse behave like those physically connected to the remote computer. For remote desktop connections to be created, local and remote machines need to be authenticated by username and password. Cyber players will penetrate the link between the machines and inject malware or ransomware into the remote device. Attacks using the RDP protocol do not require input from the user, making intrusions harder to detect.

What would you do to mitigate the danger of RDP and protect your organization?

How do you reduce the chances of an intruder possessing your network by RDP? Here are a few tips:

Utilize your remote desktop gateway

Make use of a bridge between the public internet and your internal RDP-enabled computers. The Windows Server Remote Desktop Gateway supports SSL/TLS connections over port 443 and relays remote sessions securely to internal devices.

Strengthen your passwords

Manual attackers and software will brutally force weak passwords to gain entry. Install a strict password policy before RDS is enabled.

Consider using the Firewall

Blocking access to port 3389 with a firewall offers another layer of security for those who do not use RDP at all. If a wrongly configured computer has a port opened by accident, then this network-level defence is a fair point.

Use Authentication at Network Level

This functionality, which is switched on by default in modern versions of Windows and Windows Server, requests additional authentication before connecting to a remote computer.

Limit the Access

Removing RDP across the organization might not be suited to many administrators, particularly as remote desktop port use spiked during the COVID-19 crisis. Limiting access will benefit businesses facing this issue. By default, you leave the access available to all users when only a subset is needed to increase the attack surface. Instead, switch off RDP access for those who do not need it, particularly when dealing with administrator privileges.

How does Teceze help prevent attacks from RDP?

Teceze offers a range of other cybersecurity services and can help conduct vulnerability assessments and penetration tests on your network and computers. If we discover any weaknesses, then a mitigation plan will be created for each of them and outlined in a study. We are also available to assist in the implementation of the proposed mitigation strategy.

New research has identified a large rise in the number of attacks targeting the Microsoft Remote Desktop Protocol (RDP) during the Covid-19 pandemic. Businesses have gradually switched.How Attackers Enter Remote Desktops & How to Get Safe?

How to get Microsoft Defender Health on Mac Fleet

Managing Macs for multiple companies gives us the opportunity to work in various environment and detect issues where it occurs first & then implement a solution for all others at the same time. Recently there was a requirement to find if there are MDD instances...

Implementing Machine Learning in IT Support Setup

Machine learning has the potential to revolutionize the way IT support businesses operate. This cutting-edge technology can be applied in a number of ways to improve the efficiency, accuracy, and speed of IT support services. Here are some ways that machine learning...

Benefits of Apple Business Managers

Apple Business Manager is a web-based platform designed to streamline the process of purchasing, deploying, and managing Apple devices within a business organization. It allows IT administrators to manage and distribute Apple devices and apps to their employees,...

Adoption of Macs in Enterprise: A Growing Trend

This image belongs to In recent years, there has been a growing trend of enterprises adopting Macs as their primary desktop and laptop computers. This shift in technology can be attributed to several factors, including...

ESG as future of IT

ESG, or environmental, social, and governance, is becoming increasingly important in the field of IT. As technology continues to advance and play a larger role in our daily lives, companies are being held to higher standards in terms of their impact on the environment...

Secure Your Mac with FileVault

FileVault is a built-in encryption tool for Macs that helps protect your data from unauthorized access by encrypting your hard drive. Enabling FileVault is a simple process that only takes a few minutes, and it can give you peace of mind knowing that your data is safe...

Is outsourcing IT to India is better or keeping it inhouse?

There are pros and cons to both outsourcing IT services to India and keeping IT within the company. Ultimately, the decision to outsource or keep IT in-house will depend on the specific needs and goals of the company, as well as the resources and capabilities...

How to be a good SCRUM Master

In an Agile development team, the Scrum Master is a crucial role that helps the team to work effectively and efficiently. A Scrum Master is responsible for facilitating the team's use of the Scrum framework and ensuring that the team is able to deliver high-quality...

Basics of Enterprise Patch Management

Enterprise patch management is the process of ensuring that all the software and applications within an organization are kept up-to-date with the latest patches and updates. This is important because software and applications are constantly being improved and updated...

Cost saving for enterprises by choosing M1 Macs

The M1 Mac has had a significant impact on the enterprise market since its release. As a highly-efficient and powerful machine, the M1 Mac has proven to be a valuable asset to businesses in a variety of industries. One of the key benefits of the M1 Mac is its improved...

CRM Is A Process, Not A Product! How Can We Make CRM A Successful Tool?

CRM (Customer Relationship Management) is software that allows businesses to manage business relationships and information associated with them. It provides a platform that manages interactions with customers, stores information about them, and automates processes...


Digital Workplace Services

Automated Tasks

 Office IT Support

Intune for Win & Mac

Citrix Virtual Apps

Mac Win iOS Android

Mac & Win Trained