Remote Desktop is a big vulnerability

Maybe you use Microsoft’s Remote Desktop feature to connect to your workstation at work from…anywhere. Remote Desktop has been in Windows for 20 years at no extra cost. The network administrator at my target reviews the workstation’s logs through Windows’ Event Viewer. This screenshot is from my research honeypot.

 

Attackers see Remote Desktop is open. They pound away until they stumble across a password that works

Attackers see Windows’ Remote Desktop is open. They pound away until they stumble across a password that works

Someone is trying to login to this virtual machine at a ferocious pace

The unlucky soul who has to read these logs finds login attempts are international. My perusal shows login attempts from five IP addresses:

211.72.1.31 in Taipei, Taiwan
24.142.48.215 in Dartmouth, Canada
87.147.195.55 in Olching, Germany
47.185.77.29 in Keller, Texas
91.234.125.163 is in Sosnicowice, Poland

Assuming it is one hacker who either employed a botnet (a series of computers simultaneously tasked with a large task) or is running multiple VPN connections; he will eventually succeed. He is trying to login with user accounts Administrator, win and userid60307. He will eventually succeed when:

1. Administrator, win or userid60307 use one of the simple passwords from page 17 of https://howhackshappen.com.
2. The hacker stumbles across the correct password in his wordlist.
3. Assuming Daphne Prancer uses this workstation, the hacker tries logging in as Daphne with the password 2018Prius (also from https://howhackshappen.com).

Get ready for some math

This attack may go indefinitely. “How ferocious is this attack?” you may ask. Get ready for some math. I counted how many times Event ID 4625 occurred in one minute. The answer is…105. Yes, I counted 105 failed logins within 60 seconds. Do the math and you’ll find a rate of 151,200 failed login attempts a day. Do more math and you’ll find a rate of 55,188,000 attempts a year. The hacker will eventually succeed. I did not launch this attack. I checked the logs and found someone else is doing my work for me.

Content from How Hacks Happen and how to protect yourself. Visit https://howhackshappen.com and view three chapters online for FREE today or visit https://www.amazon.com/How-Hacks-Happen-protect-yourself/dp/0983576920/. By Mark Anthony Germanos, of https://cybersafetynet.net/about-cyber-safety-net/.

Tags: ,