The researchers discovered that there are 11 million open 3389/TCP endpoints, and that 4.1 million of them are RDP.
“We analyzed the responses, tallying any that appeared to be from RDP speaking endpoints, counting both error messages indicating possible client or server-side configuration issues as well as success messages.” states the analysis from Rapid7.
“11 million open 3389/TCP endpoints, and 4.1 million responded in such a way that they were RDP speaking of some manner or another. This number is shockingly high when you remember that this protocol is effectively a way to expose keyboard, mouse and ultimately a Windows desktop over the network.”
In May, Rapid7 published another study that revealed millions of devices exposed to cyber attacks via SMB, Telnet, RDP, and other types of improper configurations.
The study reported 10.8 million supposedly open RDP endpoints in early 2016, and 7.2 million such endpoints in the first quarter of this year.
The researchers pointed out that even if RDP is disabled by default on Windows, it is commonly exposed in internal networks for administration and maintenance purposes. The protocol poses serious risks, Microsoft addressed dozens of vulnerabilities in the Remote Desktop Protocol over the past fifteen years.
“The default RDP configuration on older versions of Windows left it vulnerable to several attacks when enabled; however, newer versions have upped the game considerably by requiring Network Level Authentication (NLA) by default. If you are interested in reading more about securing RDP, UC Berkeley has put together a helpful guide, and Tom Sellers, prior to joining Rapid7, wrote about specific risks related to RDP and how to address them.”
“RDP’s history from a security perspective is varied. Since at least 2002 there have been 20 Microsoft security updates specifically related to RDP and at least 24 separate CVEs”
ShadowBrokers revealed the existence of an NSA exploit, dubbed EsteemAudit exploit that targets Remote Desktop Protocol service (port 3389) on machines running no longer supported Microsoft Windows Server 2003 / Windows XP.
It has been estimated that over 24,000 systems remain vulnerable to the EsteemAudit exploit, for this reason, Microsoft released security updates for Windows XP to address ShadowBrokers vulnerabilities, including CVE-2017-0176 exploited by EsteemAudit.
Remote Desktop Protocol attacks are a privileged attack vector for malware distribution, especially ransomware.
There are many malware in the wild that already infects systems using as attack vector the Remote Desktop Protocol, (CrySiS, Dharma, and SamSam), the EsteemAudit exploit can potentially make these threats very aggressive and dangerous.
According to the Rapid7 report, most of the exposed Remote Desktop Protocol endpoints (28.8%, or over 1.1 million) are in the United States. China is at the second place for exposed RDP endpoints (17.7%, or around 730,000), followed by Germany (4.3%, ~ 177,000), Brazil (3.3%, ~ 137,000), and Korea (3.0%, ~ 123,000).
Giving a look at the organizations that own the IP addresses associated with exposed Remote Desktop Protocol endpoints the experts noticed that most of them belong to Amazon (7.73% of exposed endpoints), Alibaba (6.8%), Microsoft (4.96%), China Telecom (4.32%), and Comcast (2.07%).
Rapid7 reported that more than 83% of the Remote Desktop Protocol endpoints identified were willing to proceed with CredSSP as the security protocol, meaning that the RDP session was highly secured. Over 15% of the exposed endpoints indicated that they didn’t support SSL/TLS.
“Amazingly, over 83% of the RDP endpoints we identified indicated that they were willing to proceed with CredSSP as the security protocol, implying that the endpoint is willing to use one of the most secure protocols to authenticate and protect the RDP session. A small handful in the few thousand range selected SSL/TLS. Just over 15% indicated that they didn’t support SSL/TLS (despite our also proposing CredSSP…) or that they only supported the legacy “Standard RDP Security”, which is susceptible to man-in-the-middle attacks. Over 80% of exposed endpoints supporting common means for securing RDP sessions is rather impressive. ” Rapid7 points out.
(Security Affairs – Remote Desktop Protocol, hacking )