Perch data reveals how COVID-19 affects MSP risk profile

There’s no question that the COVID-19 pandemic has caused IT operations changes across the entire world. For MSPs, this couldn’t possibly be more true. We’ve seen our partners experience double, even triple the number of incoming support tickets generated to enable their clients’ work-from-home requirements.

While MSPs have done nothing short of performing a heroic feat in accomplishing this enablement, we were curious about what security impact in its wake; and as always, the data science we found in Perchybana provided some startling insights.

In the mad scramble to allow clients to work from home, Perch saw a slight increase in the introduction of new RDP-based services. On the whole, we saw an increase of only 11% in the number of new RDP sessions established throughout the month of March. While this increase isn’t significant, it reinforces our theory of increased reliance on RDP services to enable a work from home workforce.

But what about threat actors? Do they see the exploding remote workforce as a renewed opportunity for attack? We took a peek at full RDP-based activity from our entire customer base over a 90-day period to validate or debunk that theory; and the data revealed a swell in all RDP-based attack activity over the course of 90 days, with a spike toward the end of March.

Clearly, adversaries smell the blood in the water: work-from-home requirements open new opportunities for criminals to gain access.

Next, we investigated the trends across RDP attack types throughout February and March to evaluate variations in attack techniques. Notably, we saw a significant increase in RDP connection attempts, with a grand total of 11,858,583 inbound RDP connection attempts in February alone. March saw a 259% growth in RDP traffic (increase of 30.7 million) for a grand total of 42.5 million sessions. See Tables 1 and 2 in the Appendix.

Threat Actor Geolocation

Throughout February, Russia leads the pack in inbound scanning activity with 86% of all RDP scanning activity. (Figure 2) But that changed in March. While Russian activity continued, new country origins began to appear in the “all scanning activity” top 5 including France, Moldova, United States, and Czechia. (Figure 3)

Ramifications

As always, MSPs (and all organizations) should be very restrictive with policies surrounding RDP-based access from externally facing sources. If possible, forbid inbound RDP access from the firewall; and if RDP must be enabled, be sure to require multi-factor authentication.

We’ll keep monitoring the threat landscape through April to see if new changes emerge. In the meantime, you can confidently expect RDP-based scanning to continue with increasing intensity.

If you’re using Perch, you’re always alerted to RDP-based threats. Additionally, our geo-location capability and event notifications are available to all users – so you can easily create your own to correlate and alert on successful RDP logins from new or non-local sources.

For more details about RDP attacks, you can download our 2020 MSP Security Report here.

Keep it Perchy, people.
Wes

Appendix

We'd love to hear your thoughts. Find us on Twitter, LinkedIn or write in to hello@perchsecurity.com

Next: Securing Remote Workers