Yes. It has been that bad, 2020.
Absolutely this rings true for me, I have personally witnessed it. What is missing from the RDP explainers is that: RDP is AKA terminal services gateway a command line authentication medium. It can be authenticated against in non-GUI command form with repeated password brute force tooling easily. I think that would help folks understand. Threat actors absolutely went after all these new RDP setups, +768% is certainly what I would expect from my CERT position.
Also, some genius MSPs decided to leave Administrator as an option over RDP. Administrator does not have a default lockout as standard. So they get smashed first.
Hackers love recon. They pull usernames from that recon, start using these gleaned usernames on the available RDP services, they get smashed next.
Sites don't restrict GEO or remote access to their RDP. Any IP in the globe can attempt access for full desktop control. Madness. But thats the pandemic.
People have been very slow to learn, Windows O/S and RDP is not a secure or workable soluton for remote working. At all. Firewalls and web servers are things designed to face the internet, not RDP. RD Gateway will still be an easy win with a phishing creds steal.
I have seen over a dozen institution ransomware cases 90% started with pandemic induced RDP. Most had alternating actual malicious tooling/binary delivery methods/TTPs - thats different groups attacking via the same initial vulnerability.
Biting the hand that feeds IT
