A Microsoft Windows component, RDP was designed to provide administrators, engineers, and users with remote access to systems. However, threat actors have been using the technology for nefarious purposes, and the trend continues, especially since an RDP attack is usually more difficult to detect than a backdoor.
“Threat actors continue to prefer RDP for the stability and functionality advantages over non-graphical backdoors, which can leave unwanted artifacts on a system.”
These allow attackers to establish a connection with a remote server blocked by a firewall and abuse that connection as a transport mechanism to “tunnel” local listening services through the firewall, thus rendering them accessible to the remote server.
Network tunneling and port forwarding take advantage of firewall “pinholes” (ports not protected by the firewall that allow application access to a service on a host in the network protected by the firewall) to establish a connection with a remote server blocked by a firewall.
Once a connection has been established to the remote server through the firewall, the connection can be used as a transport mechanism to send or “tunnel” local listening services (located inside the firewall) through the firewall, making them accessible to the remote server (located outside the firewall).
One utility used to tunnel RDP sessions is PuTTY Link, or Plink, which allows attackers to establish a secure shell (SSH) network connections to other systems. With many IT environments either not inspecting protocols or not blocking SSH communications outbound from their network, attackers can use the tool to create encrypted tunnels and establish RDP connections with the command and control (C&C) server.
Not only RDP is the perfect tool for accessing compromised systems externally, but RDP sessions can also be daisy chained across multiple systems as a way to move laterally through an environment.
FireEye has observed threat actors using the native Windows Network Shell (netsh) command to utilize RDP port forwarding as a way to access newly discovered segmented networks reachable only through an administrative jump box.
“For example, a threat actor could configure the jump box to listen on an arbitrary port for traffic being sent from a previously compromised system. The traffic would then be forwarded directly through the jump box to any system on the segmented network using any designated port, including the default RDP port TCP 3389,”
If RDP is enabled, threat actors have a way to move laterally and maintain presence in the environment through tunneling or port forwarding. To mitigate vulnerability to and detect these types of RDP attacks, organizations should focus on both host-based and network-based prevention and detection mechanisms.
You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.
Malicious Hackers Increasing the Exploitation of RDP Protocol to Hack the Targeted Victims
Troldesh Ransomware Spreading Via Weaponized Word Document and RDP Brute-force Attack
A new project has exposed a critical attack vector that exploits protocol vulnerabilities to disrupt…
A threat actor known as #LongNight has reportedly put up for sale remote code execution…
Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager Mobile…
Hackers are increasingly targeting macOS users with malicious clones of Ledger Live, the popular application…
The European Union has escalated its response to Russia’s ongoing campaign of hybrid threats, announcing…
Venice.ai has rapidly emerged as a disruptive force in the AI landscape, positioning itself as…