Police CyberAlarm identifies attack on members

The Challenge
In October 2022, whilst reviewing Police Cyber Alarm (PCA) data, the PCA team noted that there was a marked rise in cyber activity targeting members’ firewalls. This activity was coming from one IP address and was attempting to gain control of their computers through Microsoft’s Remote Desktop Protocol which had recently seen multiple critical vulnerabilities, and the fixes for them, being announced by Microsoft.
Remote Desktop Protocol (RDP)
A Microsoft Remote Desktop session establishes a secure connection between two Windows computers using Remote Desktop Protocol (RDP). This type of cyberattack attempts to gain access to, or control, a remote computer and is becoming increasingly common as hackers look for ways to take advantage of insecure systems. Organisations choosing to allow RDP requests cannot know if requests are coming from legitimate or malicious sources.
In this instance, the attacker was looking for Windows systems accepting RDP traffic, most likely because they have malware – malicious software - capable of exploiting one of the RDP vulnerabilities.
The Outcome
Using the Police CyberAlarm suspicious activity search, the source IP was found to have been active for three days and had attempted to access over 20 PCA members. By correlating data across multiple members, Police CyberAlarm was able to identify the source as malicious and notify members who had allowed traffic from this source.
Using an intelligence alert from law enforcement, officers from the regions of those members affected were immediately notified and members were contacted.
Become a Police CyberAlarm member for strengthened cyber security.