It is the job of cybersecurity researchers to constantly monitor possible areas of attack. One method that we use is port scans of varying strength that reveal what threat vectors are exposed to potential attackers. Sometimes when an open port is found — a port that should be closed — it is discovered that there are larger issues than the port itself.
Such is the case with recent global scans performed by security researchers at Rapid7. In a report published on August 9, Rapid7 community member jhart7 detailed recent port scans that showed 11 million devices with open online 3389/TCP ports. The issue wasn’t the port itself, necessarily, but rather the fact that roughly 4.1 million of the 3389/TCP ports are specifically speaking the RDP protocol.
The Remote Desktop Protocol (RDP) was created by Microsoft to “remote display and input capabilities over network connections for Windows-based applications running on a server.” Of the many capabilities that RDP has, the most pertinent to security issues is the numerous remote controls allowed by the protocol. It is for this reason that, as jhart7 points out in his report, RDP is disabled by default in all versions of Windows.
So what is the problem then? The reality is that RDP is often enabled in business environments. Per jhart7:
RDP is disabled by default for all versions of Windows but is very commonly exposed in internal networks for ease of use in a variety of duties like administration and support. I can’t think of a place where I’ve worked where it wasn’t used in some capacity. There is no denying the convenience it provides.
RDP is without a doubt a useful protocol, and when its encryption is employed properly, it can be relatively safe. The reality is, and this is the crux of the issue, the RDP protocols found in this report are exposed directly to any experienced hacker. As Catalin Cimpanu of Bleeping Computer points out, “RDP has been … a prime target for hackers for decades.” He goes on to cite a Webroot report from March 2017 that “pins RDP as the favorite method for delivering ransomware”and a Kaspersky report that solidified RDP’s criminal association via “xDedic, an online service that was selling access to nearly 70,000 hacked RDP servers.”
A lot of these issues come down to human error, as admins don’t enable authentication, employ simplistic credentials, or don’t use a firewall to filter access to the RDP machine. The Rapid7 report does mention, however, a high support among admins for employing methods such as stronger authentication protocols like CredSSP. Additionally, admins must be more mindful of how they employ this protocol in their daily work life.
Ultimately, it is a race against time to secure these exposed RDP machines, all 4.1 million of them, as any zero-day employed on a mass scale could allow for mass remote hijacking or malware deployment against powerful organizations.