Sophos is seeing a trend where attackers are performing brute force attacks against users passwords over Remote Desktop Protocol (RDP). This technique can allow an attacker complete access/control of a victims computer and has been seen repeatedly used as a method to deliver ransomware to an environment.
RDP is a legitimate method for allowing a remote user to connect to a computer inside your network; it effectively turns a computer into a remote screen. When the remote user moves their mouse in the RDP client software far away, they’re controlling the computer on your network; when a software dialog pops up, they see it on their remote computer. RDP is like being right there and allows remote use of applications. Even fully-graphical applications that can’t be scripted or operated via a command prompt.
In other words, the RDP password you’ve chosen for your remote user (or that you’ve let them choose for themselves) is essentially the key to your office – a weak password is like a server room door that’s propped open, inviting any passing snooper to take a look inside.
The following sections are covered:
Applies to the following Sophos products and versions Sophos Firewall
On the Sophos XG Firewall, there are two methods to avoid RDP brute force attacks: Use a remote access VPN or white-list IP Addresses used to connect to RDP.
The first method is to use a VPN; this method allows administrators to limit RDP connections only to authenticated users connecting with a VPN,
For more information on how to configure a VPN for remote users see Sophos XG Firewall: How to configure SSL VPN remote access.
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable to us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.