March 1st - 8:45


When the remote login tool is the target of attacks


Remote Desktop Protocol (RDP) allows users to connect to computers remotely. The pandemic has dramatically increased the number of people using RDP services to work from home. The high number of computers accessible via RDP and the popularity of default usernames and weak passwords have made RDP a prime entry point for hackers seeking to break into an organization’s network. As a result, it is likely that any computer exposing RDP to the Internet is of interest to malicious actors and is susceptible to frequent attacks. To study attacks on RDP, we exploit high-interaction honeypots on the Internet that use our open-source PyRDP tool. Every day, hackers attempt to connect to our systems where they can fully interact and often deploy malware or potentially unwanted programs such as cryptomining or proxy monetization software like EarnApp. We analyzed nearly 3.5 million login attempts from July to September 2022. We analyzed the different strategies used by the attackers: the combination of username and password they try, the use of a well-known list of passwords, the frequency rate of their attacks, the country of origin, the timing of the attacks, etc. In this presentation, we will give a brief overview of the RDP protocol, the architecture of our honeypots, and a short demonstration of PyRDP monitoring opportunities. We will then go on to perform advanced analysis on connection attempts to reveal as much information as possible about opportunistic attackers. We will reveal that contrary to what other researchers have observed, a significant proportion of attackers use sophisticated strategies in their login attempts. We will conclude with best practices to avoid the risks inherent in RDP.

Presented by Andréanne Bergeron


About Andréanne Bergeron

Andréanne Bergeron holds a PhD in Criminology from the University of Montreal and works as a cybersecurity researcher at GoSecure. She is interested in the behavior of online attackers. She is an experienced speaker with over 38 university lectures and is now focusing on the field of computer security.