Case Study: How We Stopped Massive Brute-Force Attacks on Remote Desktop Services
Our investigation revealed 10,000 logon attempts per day to a business with fewer than 10 remote employees. Through the use of cybersecurity best practices and mitigation tactics, the threat was neutralized.
Executive Summary
Windows Remote Desktop Services (RDS) is widely used by businesses to enable employees to access work-related resources remotely.
RDS servers are a high priority target for threat actors, as compromising them is like giving a thief a key to your network.
Our investigation revealed 10,000 logon attempts per day to a business with fewer than 10 remote employees Through the use of cybersecurity best practices and mitigation tactics, the threat was neutralized.
Background & Context
RDS servers, if not properly secured, present a significant risk. A compromise can allow attackers to move laterally within a network, access sensitive data, exfiltrate information, or deploy ransomware. All can lead to financial loss, operational downtime, and reputational damage.
In this case, we discovered an RDS server exposed to the internet with insufficient access controls and monitoring in place, making it an attractive target for attackers.
Detection & Investigation
The investigation began when our monitoring system triggered lockout alerts for a local administrator account on the RDSs server.
A review of the event logs revealed 19,204 failed logon attempts over 5 days. Most attempts originated from accounts that did not exist, highlighting a brute-force attack in progress.
Threat Assessment
The potential business impact if this issue was left unmitigated would have resulted in the eventual compromise of a network. Administrator accounts were updated to 32-character complex passwords to maximize security.
Even standard remote employee accounts, with minimum 8-character passwords, were at risk of brute-force attacks. Threat actors are typically financially motivated, and such attacks often lead to ransomware deployments or invoice fraud, both of which can cause significant financial and operational damage.
Mitigation Strategy and Actions Taken
Although the organization had enterprise-grade firewalls, they were not configured to properly protect the RDS server.
Actions implemented included:
- Geolocation-based firewall restrictions
RDS access was limited to the United States, immediately reducing ~95% of the attack traffic originating from other countries. - Zero Trust Network Access (ZTNA)
Enforced policies ensuring only authorized remote employees could connect to the RDS server, fully eliminating unauthorized access attempts.
Outcome And Results
The mitigation measures led to complete elimination of brute-force attempts. Failed logon attempts dropped from 10,000 per day, to only legitimate remote employee connections. The RDS server is no longer exposed to the public internet, and access is strictly controlled.
Lessons Learned
- Continuous monitoring is critical.
A SIEM solution is essential to detect suspicious activities before damage occurs. - Internal assets exposed to the internet are high-risk
Any publicly available service will be probed by threat actors using readily available tools. - Proactive cybersecurity practices prevent incidents.
Proper configurations, access controls, and auditing reduce the likelihood of compromise.
Conclusion
Auditing and securing remote access infrastructure is essential: you cannot protect what you don’t know exists.
By enforcing cybersecurity best practices, employees can safely access resources remotely, while keeping attackers at bay.
Cybersecurity is a proactive process. By following industry standards and security measures, organizations minimize risk and protect their critical assets.
Contact Celera IT Services today to ensure your business is secure against modern threats.