March 1st - 8:45


When the remote login tool is the target of attacks


Remote Desktop Protocol (RDP) allows users to connect to computers remotely. The pandemic has dramatically increased the number of people using RDP services to work from home. The high number of computers accessible via RDP and the popularity of default usernames and weak passwords have made RDP a prime entry point for hackers seeking to break into an organization’s network. As a result, it is likely that any computer exposing RDP to the Internet is of interest to malicious actors and is susceptible to frequent attacks. To study attacks on RDP, we exploit high-interaction honeypots on the Internet that use our open-source PyRDP tool. Every day, hackers attempt to connect to our systems where they can fully interact and often deploy malware or potentially unwanted programs such as cryptomining or proxy monetization software like EarnApp. We analyzed nearly 3.5 million login attempts from July to September 2022. We analyzed the different strategies used by the attackers: the combination of username and password they try, the use of a well-known list of passwords, the frequency rate of their attacks, the country of origin, the timing of the attacks, etc. In this presentation, we will give a brief overview of the RDP protocol, the architecture of our honeypots, and a short demonstration of PyRDP monitoring opportunities. We will then go on to perform advanced analysis on connection attempts to reveal as much information as possible about opportunistic attackers. We will reveal that contrary to what other researchers have observed, a significant proportion of attackers use sophisticated strategies in their login attempts. We will conclude with best practices to avoid the risks inherent in RDP.

Presented by Olivier Bilodeau


About Olivier Bilodeau

Olivier Bilodeau is the head of GoSecure’s cybersecurity research department. With over 12 years of experience in cybersecurity, Olivier has worked in network and Unix server management, developed open source network access control software and worked as a malware researcher. He has been obsessed with Remote Desktop Protocol (RDP) for 3 years and has reported vulnerabilities to Microsoft about it. An experienced communicator, he has presented at several conferences such as BlackHat, Defcon, Botconf, SecTor, Derbycon and many others. Involved in his community, he is co-founder of MontréHack - a monthly initiative to share technical knowledge in applied security -, he is president of NorthSec and hosts its Hacker Jeopa.