Protect Workloads Utilizing RDP in AWS from Increasingly Common Brute Force Attacks

By, Maya Levine, Technical Marketing Engineer

As business rush to scale up existing workloads or bring up new solutions to help support their new remote workforce, threat actors are shifting their attention to these same systems. One notable example is the popular application-level protocol for accessing Windows workstations or servers – RDP (Remote Desktop Protocol). According to researchers at Kaspersky, the number of brute-force attacks against exposed RDP services have skyrocketed around the world since the beginning of March 2020.

Growth in the number of RDP brute-force attacks (Kaspersky)

Brute force attacks involve an attacker systematically trying all possible options for the RDP username and password until they are able to login. Attackers can use previously leaked password records or try different combinations of random characters. Once they land on the correct username/password combination, they gain remote access to the target system in the network.

The researchers at Kaspersky explained, “Brute-force attackers are not surgical in their approach, but operate by area. As far as we can tell, following the mass transition to home working, they logically concluded that the number of poorly configured RDP servers would increase, hence the rise in the number of attacks.”

It is important to note that remote desktop protocol is not the only thing to worry about in public cloud environments. The similar VNC protocol has been found to have 37 vulnerabilities in various clients, as researched by Kaspersky.

If you happen to host workloads utilizing RDP in AWS, you can take advantage of CloudGuard Dome9’s Dynamic Access Lease feature to secure yourself. Instead of attaching a security group to the instance with an inbound rule that allows RDP access, Dynamic Access Lease allows AWS cloud servers and other resources to be almost hermetically closed. It opens tiny security “holes” for certain activities only when necessary and provides a full audit trail of all access and changes to the resource.

How Dynamic Access Leasing Works

Access is granted to specific users to resources through specific Service Groups (for example, SSH, Remote Terminal, or RDP). The Lease is a one-time access contract for a designated user to a service for a given period of time.

Leases can be activated for specific IP/CIDRs in the Dome9 client, or offered via an emailed link. When the Dynamic Access email recipient clicks on the link, an Access Lease is activated from the recipient’s current public IP address (/32) for the specific service(s) or port(s) specified in the lease. Activation of the lease triggers the creation of one temporary Security Group Inbound Access Rule for each inbound port or continuous port range selected for Dynamic Access.

How Dynamic Access Leasing Can Protect Against Brute Force Attacks

In essence using Dynamic Access Leasing enables you to close off your sensitive resources in the cloud. Using RDP as an example, there is no need for a rule in the Window server’s security group that leaves the server open by RDP. Instead, with Dynamic Access, the rules are added only for the specific IP address used by the necessary employee for a limited amount of time. Once the access lease expires, this rule is automatically removed.

This makes it so that even if attackers are able to brute force your username/password login to the RDP service, they cannot gain access to the Windows server because they are not connecting from your specific IP address. In addition, any access to the server will be audited so you can see exactly who is connecting to the server. Access Leases reduce the scope of attack by minimizing the list of possible IP from the whole world to a smaller group. It also reduces the success rate of brute force attacks by dramatically reducing the time an attacker or bot can find your available RDP service.

Click here to learn more about CloudGuard Dome9!