Security Experts:

Millions of Endpoints Exposed via RDP: Report

There are 4.1 million Windows endpoints online that would accept communication via the Remote Desktop Protocol (RDP) in one way or another, a recent Rapid7 report reveals.

As part of a study focused on the overall RDP exposure of Windows endpoints, the security firm discovered that there are 11 million open 3389/TCP endpoints, and that 4.1 million of them are “RDP speaking of some manner or another.”

The research follows previous reports from the company, which revealed 10.8 million supposedly open RDP endpoints in early 2016, and 7.2 million such endpoints in the first quarter of this year. According to Rapid7, however, the actual risk doesn’t come from exposing the endpoint, but from exposing the protocol.

While RDP is disabled by default on Windows, it is commonly exposed in internal networks to enable easy access for administration and support. From a security perspective, however, the protocol poses great many risks, especially with Microsoft addressing two dozen vulnerabilities in it over the past fifteen years.

“The default RDP configuration on older versions of Windows left it vulnerable to several attacks when enabled; however, newer versions have upped the game considerably by requiring Network Level Authentication (NLA) by default,” Rapid7 notes.

Earlier this year, the EsteemAudit exploit that the ShadowBrokers made public after supposedly stealing it from the National Security Agency-related Equation Group was targeting RDP on Windows 2003 and XP systems. Microsoft released security updates for Windows XP to address ShadowBrokers vulnerabilities, including CVE-2017-0176, the bug EsteemAudit was exploiting.

In March this year, a security report revealed that RDP had surpassed email for ransomware distribution. After RDP was associated with the delivery of various ransomware variants, researchers concluded that attackers were increasingly relying on brute-forcing RDP credentials for the deployment of this type of malware.

“RDP finds itself exposed on the public internet more often than you might think. Depending on how RDP is configured, exposing it on the public internet ranges from suicidal on the weak end to not-too-unreasonable on the other. […] There are all manner of ways that RDP could end up exposed on the public internet, deliberately or otherwise,” Rapid7 notes.

According to their report, most of the exposed RDP endpoints (28.8%, or over 1.1 million) are located in the United States. China has a great deal of exposed RDP endpoints as well (17.7%, or around 730,000), followed by Germany (4.3%, ~ 177,000), Brazil (3.3%, ~ 137,000), and Korea (3.0%, ~ 123,000).

The security researchers also had a look at the organizations that own the IPs with exposed RDP endpoints: Amazon (7.73% of exposed endpoints), Alibaba (6.8%), Microsoft (4.96%), China Telecom (4.32%), and Comcast (2.07%).

This also revealed why some countries had significantly more exposed endpoints than others: most of the providers are known for their cloud, virtual, or physical hosting services, “where remote access to a Windows machine is a frequent necessity,” Rapid7 notes.

The security researchers also discovered that over 83% of the RDP endpoints identified were willing to proceed with CredSSP as the security protocol, meaning that the RDP session was highly secured. However, while some selected SSL/TLS, over 15% of the exposed endpoints indicated that they didn’t support SSL/TLS.

“While 83% of the RDP speaking endpoints support CredSSP, this does not mean that they don’t also support less secure options; it just means that if a client is willing, they can take the more secure route,” Rapid7 points out. However, the company also underlines that it’s highly impressive that over 80% of exposed endpoints include support for common means for securing RDP sessions.

Related: RDP Tops Email for Ransomware Distribution: Report

Related: Compromised RDP Servers Used in Corporate Ransomware Attacks

view counter