The recent move to remote work for most organizations has had a number of effects on both employees and the technology they use. One of those is an increase in the number of machines exposing the remote desktop protocol (RDP) service to the Internet, a highly risky move that attackers have taken note of and adjusted their tactics accordingly.
The RDP service in Windows is used widely in the enterprise as a way for people to connect remotely to another machine and perform administrative functions. It’s used internally and externally, but exposing RDP servers to the open Internet is suboptimal for a number of reasons, primarily the presence of several known critical security flaws in RDP going back many years. In January Microsoft released patches for two critical flaws in the RDP Gateway, both of which are pre-authentication, remote code execution vulnerabilities. Last year, a series of major vulnerabilities in Remote Desktop were revealed, including the BlueKeep vulnerability (CVE-2019-0708) in May and several others in August.
“Services like RDP should not be exposed directly to the open Internet. If you do so, these services should be configured carefully. RDP has had several critical vulnerabilities in the past. One of the most common methods used to attack RDP services is various forms of password brute-forcing. Various underground web sites actively trade RDP passwords. RDP has had a rich history of vulnerabilities in the past. Patching RDP servers is critical,” Johannes Ullrich, dean of research at the SANS Technology Institute, said in a post.
Since the beginning of March, when some organizations began instituting either voluntary or mandatory remote work policies, researchers have seen increases in both the number of RDP servers exposed to the Internet and the number of unique IP addresses scanning for those servers. According to data gathered by Shodan, the device search engine, the number of RDP servers exposed on the default port (3389) has increased steadily, and eight percent of those servers are still vulnerable to BlueKeep. In the United States alone, more than 38,000 servers are still vulnerable to BlueKeep.
"Attackers are ruthless as usual in exploiting any weakness they can find.”
“The number of devices exposing RDP to the Internet has grown over the past month which makes sense given how many organizations are moving to remote work,” John Matherly of Shodan wrote in an analysis of the data.
“It's surprising how the number of RDP instances actually went up after the initial Microsoft bulletin on Bluekeep in May 2019. And then it dropped sharply in August once a series of issues were revealed (DejaBlue) that impacted newer versions of RDP.”
RDP is a logical and relatively easy target for attackers looking for a foothold on corporate networks. The combination of a Cheesecake Factory menu of known vulnerabilities, exposed servers, and known exploits is a tasty one, and security teams that may have been forced to scramble to create remote work setups for thousands of employees in the last few weeks could find RDP causing some serious issues. Ullrich said SANS data showed an increase of about 35 percent in the number of source IP addresses scanning for exposed RDP servers from February to March.
“The increased interest in scanning port 3389 indicates that attackers are ready for some of the changes to network configurations as a result of increased remote access requirements. Sadly attackers do not give us a break. Instead, they are focusing on weaknesses that organizations are exposing now,” Ullrich said.
“Every single attack vector we have looked at these last few months has incorporated the Coronavirus crisis, and attackers are ruthless as usual in exploiting any weakness they can find.”