Healthcare Remote Desktop Attacks: Hardening the Front Door Against Intrusion

Recent telemetry from SonicWall paints a paradoxical picture of the current threat landscape: while some general cyberattack vectors may see fluctuation, remote desktop tools remain the “front door” of choice for threat actors targeting the healthcare sector. In 2026, as healthcare organizations continue to rely on remote access for operational continuity and telehealth, attackers are systematically exploiting weak configurations in Remote Desktop Protocol (RDP) and third-party remote administration tools.

For defenders, this is not a theoretical risk. Unauthorized remote access is the precursor to ransomware deployment and data exfiltration. This post dissects the mechanics of these attacks and provides immediate, actionable detection and hardening measures to close the door on lateral movement.

Technical Analysis

The threat landscape described in the recent reports indicates a shift from indiscriminate exploitation to targeted brute-force and credential-stuffing campaigns against exposed remote services.

Affected Products & Platforms:

Microsoft Remote Desktop Services (RDS): Specifically systems with Port 3389 (TCP) exposed to the internet.
Third-Party RATs: Commercial tools such as TeamViewer, AnyDesk, and LogMeIn, which are frequently left unpatched or running with weak authentication.
VPN Concentrators: Often used as a stepping stone to internal RDP sessions.

Vulnerability & Attack Mechanics: While we are not seeing a single novel CVE driving this surge (e.g., no 2025/2026 BlueKeep equivalent in this specific dataset), the vulnerability lies in configuration hygiene. Attackers are leveraging:

Credential Stuffing: Using lists of compromised credentials harvested from previous infostealer campaigns to authenticate via RDP.
Brute Force: Automated scripts attempting to guess passwords on exposed RDP interfaces.
Unpatched Legacy Clients: Exploiting known authentication bypasses in older versions of third-party remote tools that have not been updated.

Exploitation Status: SonicWall data confirms this is an Active Exploitation scenario. Attackers are walking through the front door because it is unlocked—meaning services are exposed directly to the public internet without Multi-Factor Authentication (MFA) or Network Level Authentication (NLA).

Detection & Response

Identifying illicit remote access requires monitoring both the establishment of the connection and the processes that facilitate it. The following rules target the behavioral indicators of remote desktop abuse.

Sigma Rules

YAML

---
title: Potential External RDP Connection Attempt
id: 8c7a3b21-1d4f-4e5a-9b12-c8f9d0e1a234
status: experimental
description: Detects incoming network connections on standard RDP port 3389 from non-local subnets, indicating potential external access attempts.
references:
  - https://attack.mitre.org/techniques/T1021/001/
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.lateral_movement
  - attack.t1021.001
logsource:
  category: network_connection
  product: windows
detection:
  selection:
    DestinationPort: 3389
    Initiated: 'false'
  filter:
    SourceIp|startswith:
      - '10.'
      - '192.168.'
      - '172.16.'
      - '127.'
      - '::1'
condition: selection and not filter
falsepositives:
  - Legitimate remote administration from known external IP ranges (tune filter as needed)
level: high
---
title: Execution of Common Remote Access Tools
id: 9d2e4f32-2e5g-5f6b-0c23-d9g0e1f2a345
status: experimental
description: Detects execution of popular third-party remote desktop software (TeamViewer, AnyDesk, LogMeIn) which are frequently abused by adversaries for persistence.
references:
  - https://attack.mitre.org/techniques/T1219/
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.command_and_control
  - attack.t1219
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith:
      - '\teamviewer.exe'
      - '\anydesk.exe'
      - '\logmein.exe'
      - '\radmin.exe'
  condition: selection
falsepositives:
  - Authorized administrative use of these tools
level: medium

KQL (Microsoft Sentinel / Defender)

KQL — Microsoft Sentinel / Defender

// Hunt for external RDP connections (Port 3389)
DeviceNetworkEvents
| where RemotePort == 3389
| where ActionType == "ConnectionAccepted"
| where not(ipv4_is_in_range(RemoteIP, "10.0.0.0/8")) 
   and not(ipv4_is_in_range(RemoteIP, "192.168.0.0/16")) 
   and not(ipv4_is_in_range(RemoteIP, "172.16.0.0/12"))
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName
| order by Timestamp desc

Velociraptor VQL

VQL — Velociraptor

-- Hunt for processes listening on RDP port 3389 or running common RATs
SELECT Pid, Name, Exe, CommandLine, Username
FROM pslist()
WHERE Name =~ 'svchost.exe' AND CommandLine =~ 'TermService'
   OR Name =~ 'mstsc.exe'
   OR Name =~ 'teamviewer.exe'
   OR Name =~ 'anydesk.exe'

Remediation Script (PowerShell)

PowerShell

# PowerShell Script to Audit and Harden RDP Settings
# Requires Administrator privileges

Write-Host "[+] Auditing Remote Desktop Configuration..." -ForegroundColor Cyan

# Check if RDP is enabled
$rdpProperty = Get-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server" -Name "fDenyTSConnections" -ErrorAction SilentlyContinue
if ($rdpProperty.fDenyTSConnections -eq 0) {
    Write-Host "[!] WARNING: RDP is currently ENABLED (fDenyTSConnections = 0)." -ForegroundColor Red
} else {
    Write-Host "[+] RDP is currently DISABLED." -ForegroundColor Green
}

# Check Network Level Authentication (NLA)
$nlaProperty = Get-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" -Name "UserAuthentication" -ErrorAction SilentlyContinue
if ($nlaProperty.UserAuthentication -eq 0) {
    Write-Host "[!] WARNING: Network Level Authentication (NLA) is DISABLED." -ForegroundColor Red
} else {
    Write-Host "[+] NLA is ENABLED." -ForegroundColor Green
}

# Check for Firewall Rule allowing RDP
$fwRule = Get-NetFirewallRule -DisplayGroup "Remote Desktop" | Where-Object { $_.Enabled -eq 'True' -and $_.Direction -eq 'Inbound' }
if ($fwRule) {
    Write-Host "[!] WARNING: Firewall rules allowing RDP traffic are active." -ForegroundColor Yellow
} else {
    Write-Host "[+] No inbound RDP firewall rules found." -ForegroundColor Green
}

Write-Host "[+] Hardening Recommendation: If RDP is not required, disable it via registry or Group Policy." -ForegroundColor White
Write-Host "[+] Hardening Recommendation: If RDP is required, enforce NLA and restrict access via VPN or Firewall ACLs." -ForegroundColor White

Remediation

To effectively close the “front door” that hackers are walking through, healthcare organizations must implement the following controls immediately:

Disable RDP from the Internet: Ensure Port 3389 is blocked at the network perimeter. Use VPNs with MFA for all remote administrative access. RDP should never be directly exposed to the public internet.
Enable Network Level Authentication (NLA): NLA requires authentication before the session is fully established, reducing the resource load on the server and mitigating certain credential-based attacks.
Enforce Multi-Factor Authentication (MFA): This is the single most effective control against credential stuffing and brute force attacks targeting remote desktop services.
Account Lockout Policies: Configure account lockout thresholds (e.g., 5 invalid attempts) to slow down brute-force attacks.
Patch Management: Ensure all third-party remote tools (TeamViewer, AnyDesk, etc.) are updated to the latest versions to prevent exploitation of legacy vulnerabilities.

Related Resources

Security Arsenal Healthcare Cybersecurity AlertMonitor Platform Book a SOC Assessment healthcare Intel Hub