A recent study conducted by the Specops research team highlights the ongoing exploitation of weak passwords by cybercriminals targeting Remote Desktop Protocol (RDP) ports. The research revealed over 85 million compromised passwords that will be integrated into Specops’ Breached Password Protection service, sourced from a combination of honeypot networks and threat intelligence.
RDP, a protocol developed by Microsoft, facilitates remote connections to computers over a network, with port 3389 (TCP/UDP) designated as its default communication channel. Cybercriminals frequently target RDP ports since they are commonly utilized for remote access in various business operations, including remote work, system maintenance, and troubleshooting. This accessibility presents an easy entry point for attackers, who often resort to brute force and password-spraying attack strategies, resulting in numerous failed login attempts.
Specops’ research indicates significant security vulnerabilities associated with commonly used passwords. The analysis revealed that “123456” was the most frequently attempted password, followed closely by “1234,” “Password1,” and “P@ssw0rd.” Alarmingly, the study also noted the persistent use of the password “Welcome1,” which suggests potential risks from temporary passwords assigned during employee onboarding processes that are not regularly updated. Furthermore, about 25% of the passwords used in these attacks were composed entirely of numbers, and nearly half of the attempted passwords consisted of either numbers or lowercase letters.
The research also highlights the typical password lengths and complexities that are prevalent in these breaches. Eight-character passwords are the most frequently observed, likely due to organizational minimum requirements. Strikingly, only 1.35% of the compromised passwords exceeded 12 characters, underscoring a critical opportunity for businesses to strengthen their defenses by adopting longer, more complex passphrases. In an effort to amplify its Breached Password Protection service, Specops’ findings add over 85 million compromised passwords to the existing database.
The research team focused on analyzing NTLMv2 hashes captured from their honeypot system, revealing the specific passwords associated with RDP attacks. About 40% of these hashes were successfully compromised, bringing to light the top ten passwords commonly exploited in such incidents, with “123456” appearing over 350,000 times.
To enhance security against these RDP port attacks, businesses are urged to implement Multi-Factor Authentication (MFA) as a crucial protective measure. MFA adds an additional layer of security, ensuring that even if a password is compromised, unauthorized access is thwarted. Regularly updating Windows servers and clients to address known vulnerabilities is equally important. Additionally, employing SSL encryption for TCP port 3389 and limiting RDP access to a predetermined range of trusted IP addresses can further hinder unauthorized access attempts.
The findings from the Specops report underscore the inherent risks associated with simple passwords. Organizations must recognize that continuing to rely on easily guessable credentials is a vulnerability they can no longer afford. Transitioning to longer and more complex passwords will significantly enhance resilience against RDP attacks.
Overall, this research not only emphasizes the ongoing challenges businesses face in securing remote access but also identifies key preventative measures that can be implemented. By applying the MITRE ATT&CK framework, the attack tactics likely employed in these instances include initial access through compromised credentials, with potential for continued exploitation through privilege escalation and persistence methods if defenses are not properly fortified.
