Thursday, April 17, 2025
HomeComputer SecurityHackers Conducting RDP Attacks Using New Technique to Bypass Protections

Hackers Conducting RDP Attacks Using New Technique to Bypass Protections

Published on

SIEM as a Service

Follow Us on Google News

A Microsoft Windows component, RDP was designed to provide administrators, engineers, and users with remote access to systems. However, threat actors have been using the technology for nefarious purposes, and the trend continues, especially since an RDP attack is usually more difficult to detect than a backdoor. 

Threat actors continue to prefer RDP for the stability and functionality advantages over non-graphical backdoors, which can leave unwanted artifacts on a system.”

These allow attackers to establish a connection with a remote server blocked by a firewall and abuse that connection as a transport mechanism to “tunnel” local listening services through the firewall, thus rendering them accessible to the remote server. 

- Advertisement - Google News

Network tunneling and port forwarding take advantage of firewall “pinholes” (ports not protected by the firewall that allow application access to a service on a host in the network protected by the firewall) to establish a connection with a remote server blocked by a firewall.

Once a connection has been established to the remote server through the firewall, the connection can be used as a transport mechanism to send or “tunnel” local listening services (located inside the firewall) through the firewall, making them accessible to the remote server (located outside the firewall).

One utility used to tunnel RDP sessions is PuTTY Link, or Plink, which allows attackers to establish a secure shell (SSH) network connections to other systems. With many IT environments either not inspecting protocols or not blocking SSH communications outbound from their network, attackers can use the tool to create encrypted tunnels and establish RDP connections with the command and control (C&C) server. 

How it works?

RDP attack

FIG: Enterprise firewall bypass using RDP and network tunneling with SSH as an example
RDP attack

FIG: Example of successful RDP tunnel created using Plink
RDP attack

FIG: Example of successful port forwarding from the attacker C2 server to the victim

Jump Box Pivoting

Not only RDP is the perfect tool for accessing compromised systems externally, but RDP sessions can also be daisy chained across multiple systems as a way to move laterally through an environment.

FireEye has observed threat actors using the native Windows Network Shell (netsh) command to utilize RDP port forwarding as a way to access newly discovered segmented networks reachable only through an administrative jump box.

RDP attack

For example, a threat actor could configure the jump box to listen on an arbitrary port for traffic being sent from a previously compromised system. The traffic would then be forwarded directly through the jump box to any system on the segmented network using any designated port, including the default RDP port TCP 3389,”

Prevention of RDP Tunneling

If RDP is enabled, threat actors have a way to move laterally and maintain presence in the environment through tunneling or port forwarding. To mitigate vulnerability to and detect these types of RDP attacks, organizations should focus on both host-based and network-based prevention and detection mechanisms.

  • Remote Desktop Service: Disable the remote desktop service on all end-user workstations and systems for which the service is not required for remote connectivity.
  • Host-based Firewalls: Enable host-based firewall rules that explicitly deny inbound RDP connections.
  • Local Accounts: Prevent the use of RDP using local accounts on workstations by enabling the “Deny log on through Remote Desktop Services” security setting.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.

Malicious Hackers Increasing the Exploitation of RDP Protocol to Hack the Targeted Victims

Troldesh Ransomware Spreading Via Weaponized Word Document and RDP Brute-force Attack

Latest articles

Ransomware Attacks Surge 126%, Targeting Consumer Goods and Services Sector

The cybersecurity landscape witnessed a dramatic escalation in ransomware attacks, marking a concerning trend...

CrazyHunter Hacker Group Exploits Open-Source GitHub Tools to Target Organizations

A relatively new ransomware outfit known as CrazyHunter has emerged as a significant threat,...

Threat Actors Leverage Cascading Shadows Attack Chain to Evade Detection and Hinder Analysis

A sophisticated multi-layered phishing campaign was uncovered, employing a complex attack chain known as...

Microsoft Vulnerabilities Reach Record High with Over 1,300 Reported in 2024

The 12th Edition of the Microsoft Vulnerabilities Report has revealed a significant surge in...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Ransomware Attacks Surge 126%, Targeting Consumer Goods and Services Sector

The cybersecurity landscape witnessed a dramatic escalation in ransomware attacks, marking a concerning trend...

CrazyHunter Hacker Group Exploits Open-Source GitHub Tools to Target Organizations

A relatively new ransomware outfit known as CrazyHunter has emerged as a significant threat,...

Threat Actors Leverage Cascading Shadows Attack Chain to Evade Detection and Hinder Analysis

A sophisticated multi-layered phishing campaign was uncovered, employing a complex attack chain known as...