With most of the workforce returning to their offices, remote desktop attacks against workers in Southeast Asia (SEA) dropped significantly, according to cybersecurity solutions company Kaspersky.

Based on the company’s telemetry data, Kaspersky’s B2B solutions have blocked a total of 75,855,129 Bruteforce.Generic.RDP incidents targeting companies in SEA last year. That is a 49% drop from 2021’s 149,003,835 Bruteforce attacks. The decline in quantity has been observed across all six countries in SEA. 

In terms of the share of Bruteforce attacks last year, companies in Vietnam, Indonesia, and Thailand were targeted the most.

RDP attacks in SEA up 149% in 2021 — Kaspersky
Kaspersky blocks 47M brute force attacks targeting remote workers

“It is too early for businesses to proclaim total safety from Bruteforce attacks,” said Yeo Siang Tiong, general manager for Southeast Asia at Kaspersky. “Looking at the wider threat landscape, our experts see more modern ransomware groups exploiting RDP to gain initial access to the enterprise they are targeting. It’s a red flag that security teams should pay close attention to.

RDP attacks

Remote Desktop Protocol (RDP) is Microsoft’s proprietary protocol, which provides a user with a graphical interface to connect to another computer through a network. RDP is widely used by both system administrators and less-technical users to control servers and other PCs remotely.

Bruteforce attacks attempt to find a valid RDP login/password pair by systematically checking all possible passwords until the correct one is found. A successful attack allows an attacker to gain remote access to the targeted host computer.

A recent Kaspersky report revealed the most popular techniques for gaining initial access among ransomware groups. Exploiting external remote services came up as the most common for the ransomware groups analyzed.

According to Kaspersky, all of the eight ransomware groups covered in the report, which are mostly operating as a RaaS (Ransomware as a Service) — Conti, PysaClop (TA505), Hive, Ragnar Locker, Lockbit, BlackByte, and BlackCat — use valid accounts, stolen credentials or Bruteforcing to get into a victim’s networks.

VPN

The report also notes all of the ransomware groups used open RDP to gain initial access to the system as this is the easiest vector for initial access.

Kaspersky advises enterprises to use VPN and “properly configure it.” It is also very important to use strong passwords. 

To reduce the risk and impact of a ransomware attack caused by RDP Bruteforce, Kaspersky experts also suggest deploying a comprehensive defensive concept that equips, informs, and guides your team in their fight against the most sophisticated and targeted cyberattacks like the Kaspersky Extended Detection and Response (XDR) platform.