The How and Why of Remote Desktop Protocol (RDP) Attacks

Estimated read time 6 min read

If you work in IT or cybersecurity, you’re likely familiar with Remote Desktop Protocol (RDP). This useful tool has made remote work and system management a breeze. However, the convenience of RDP also brings with it a significant threat: RDP attacks. Cybercriminals increasingly exploit this protocol to gain unauthorized access, causing substantial security concerns.

Understanding RDP Attacks

RDP attacks occur when malicious actors take advantage of vulnerabilities in the RDP, gaining unauthorized access to systems and networks. Designed to provide seamless remote access to network computers, RDP has unfortunately become a playground for attackers, providing a direct route to infiltrate and manipulate networks.

Why RDP Attracts Attackers

For cybercriminals, RDP is an attractive target due to its widespread use and the control it provides over systems. An attacker who successfully breaks into an RDP session can gain control over an entire system. This could allow them to steal sensitive data, install harmful software, or disrupt network operations.

Why RDP Attracts Attackers
Why RDP Attracts Attackers

The Escalation of RDP Attacks

With the surge in remote working due to recent global events, RDP usage has soared. As a result, so have the number of attacks exploiting this protocol. RDP attacks are now a common threat, emphasizing the urgent need for organizations to secure their RDP endpoints.

High-Profile RDP Breaches and Their Impact

Remote Desktop Protocol (RDP) services, such as Microsoft’s Remote Desktop Services, Google’s Chrome Remote Desktop, and Apple’s Remote Desktop, are incredibly useful tools. However, when they are breached, the consequences can be severe. Here are three examples of RDP breaches that had a significant impact on companies.

Microsoft Remote Desktop Services

In 2019, the city of Baltimore was hit by the infamous RobbinHood ransomware. The attack, which leveraged a vulnerability in Microsoft’s RDP, crippled the city’s IT infrastructure, shutting down email services, online bill payments, and other critical services. This breach resulted in damages estimated at over $18 million, showing how devastating an RDP attack can be.

BianLian Ransomware Targets RDP

BianLian, a ransomware strain initially known as a banking Trojan, has been seen shifting its focus to target RDP services. It uses brute force attacks to exploit weak credentials, leading to unauthorized access, data encryption, and ransom demands.

Albany ENT & Allergy Services, a healthcare provider in Albany, New York, disclosed a significant data breach after it got hit by the BianLian ransomware. This incident affected over 200,000 individuals, leading to the exposure of their sensitive personal information.

How Do RDP Attacks Happen?

Understanding the “how” behind RDP attacks is crucial to protecting your network. Here’s how these attacks typically occur:

1. Brute Force Attacks: This is the most common method used in RDP attacks. Here, cybercriminals attempt numerous combinations of usernames and passwords until they find the right one. The more simple and common the password, the quicker it is for the attacker to gain access.

2. Exploiting Vulnerabilities: Attackers exploit known weaknesses in outdated RDP software. These vulnerabilities can provide a backdoor into your system if the software isn’t kept up-to-date with patches and updates.

3. Credential Theft: In this scenario, attackers steal RDP login credentials through methods such as phishing, allowing them direct access to the network.

4. Man-in-the-Middle Attacks: Here, the attacker intercepts communication between two parties and can alter or control the communication, gaining unauthorized access to sensitive information.

Securing Your Network Against RDP Attacks

You can adopt several strategies to protect your network:

1. Keep Up with Updates and Patches: Always ensure your software is up-to-date. Many RDP attacks exploit known vulnerabilities that software updates and patches can resolve.

2. Activate Network Level Authentication (NLA): NLA provides an additional layer of authentication before a session is established, mitigating the risk of brute force attacks.

3. Implement Strong Passwords: Use robust, unique passwords and consider implementing multi-factor authentication for additional security.

4. Restrict Access: Allow RDP access only to those who require it, and consider using a Virtual Private Network (VPN) and 2FA for added security.

5. Monitor and React: Regularly check your systems for any suspicious activities and have a response plan ready for any potential RDP attacks.

Commonly Used Ports for RDP
Commonly Used Ports for RDP

The Role of Pentesting in RDP Security

Penetration Testing (Pentesting) plays a significant role in assessing RDP security. It provides an in-depth review of your security measures by simulating real-world attacks.

Here’s how pentesting can help:

Identify Vulnerabilities

Pentesters will try to exploit vulnerabilities in your RDP setup, just like a real attacker would. This helps to identify potential weaknesses before they can be exploited in a real attack.

Test Security Policies

Your organization might have various security rules in place for RDP. Pentesting can test these policies under real-world conditions to see if they hold up.

Verify System Configuration

During a pentest, the configuration of your RDP systems can be thoroughly evaluated. This can help identify any misconfigurations that could leave you vulnerable.

Strengthen Incident Response

By observing how your system responds during a pentest, you can assess and improve your incident response strategies.

How Criminals Find and Target RDP Services

How Criminals Find and Target RDP Services
How Criminals Find and Target RDP Services

Understanding how cybercriminals locate RDP services can help you protect against potential attacks. They typically use a variety of tools, including Shodan, web crawlers, and port scanners. Here’s what you need to know:


Often dubbed the “search engine for the internet of things”, Shodan is a popular tool for cybersecurity professionals. It can easily find servers running RDP by searching for specific ports or keywords. To protect against being found by Shodan, ensure your RDP services aren’t publicly exposed, and secure your network with firewalls.

Web Crawlers

Cybercriminals use automated web crawlers or bots to search for RDP endpoints. These bots scan vast areas of the internet to identify potential targets. Preventing indexing by these bots and concealing your service behind VPNs can help shield your network from such threats.

Port Scanners

Tools like Nmap are used to scan for open ports, including the default RDP port (3389). If your RDP is running on this default port, it could be an easy target. Changing the default RDP port and applying robust firewall rules can make it harder for port scanners to find your service.

Dark Web Forums and Marketplaces

Cybercriminals often share or sell information about potential RDP targets on these platforms. Regular monitoring of these platforms, where feasible, can help you know if your information is being shared.

Reza Rafati

Reza Rafati, based in the Netherlands, is the founder of An industry professional providing insightful commentary on infosec, cybercrime, cyberwar, and threat intelligence, Reza dedicates his work to bolster digital defenses and promote cyber awareness.

You May Also Like

More From Author