About udalenka, unprotected RDP and the increase in the number of servers available from the Internet

Due to the hasty mass transition of companies to remote work, the number of corporate servers available for cybercriminals from the Internet is growing rapidly. One of the main reasons is the use of the unprotected Remote Desktop Protocol (RDP). According to our data, in just one week in Russia alone, the number of devices accessible from the Internet via the RDP protocol increased by 15%.

Today, the most popular way to organize remote work is to remotely connect to a workstation, since the software for connecting to a remote desktop is part of any modern version of Windows, and the process of such work for an employee is no different from regular access to a working system. To provide remote access, the RDP protocol is used, which by default uses port 3389.

Unfortunately, because of the panic, many companies do not pay due attention to protecting remote access to the workplace, which poses many threats. For example, there are situations when a remote server is accessible and visible from the Internet – anyone can try to connect to it. Despite the need for identification and authentication, an attacker can force a password or replace a security certificate. In addition, there are many known vulnerabilities that allow you to access a remote server even without having to go through an authentication procedure.

How relevant are these threats? To answer this question, we used various tools to analyze and monitor the number of devices available from the Internet via the RDP protocol. Based on the data obtained, it can be concluded that due to the mass transfer of employees to remote work, the number of available devices is growing rapidly. So, in just a week, the number of available servers in the world increased by more than 20% and reached the mark of 3 million. A similar situation is observed in Russia – an increase in the share of available servers by almost 15%, the total number is more than 75,000.

These statistics are beginning to scare, because not so long ago several large vulnerabilities related to RDP died down. In mid-2019, a critical vulnerability was discovered under the number CVE-2019-0708, called BlueKeep, and a few months later information was also published about the critical vulnerabilities CVE-2019-1181 / 1182, called DejaBlue. Both the first and the second are not directly related to the RDP protocol, but they relate to the RDS Remote Desktop Services and allow successful operation by sending a special request through RDP to get the ability to execute arbitrary code on a vulnerable system without even having to go through an authentication procedure. It is enough to have access to a host or server with a vulnerable Windows system. Thus, any system accessible from the Internet is vulnerable if the latest Windows security updates are not installed.

Microsoft has released security updates in a timely manner to address the threat of BlueKeep and DejaBlue, but these are just a few examples of known threats related to insecure remote access. Each month, Windows security updates fix new discovered vulnerabilities regarding RDP, the successful operation of which can lead to the theft of important information, as well as to the introduction and rapid spread of malware across the entire infrastructure of the company.

During any mass events, all the more so frightening as a global pandemic, the number of attacks on organizations will inevitably increase. Companies try to provide remote access to all employees as quickly as possible, but in such a hurry it is very easy to forget or neglect the rules of protection. That is why it is extremely undesirable to use ordinary unprotected remote access to the desktop. It is recommended to use a VPN with two-factor authentication and implement remote access based on secure protocols.

Similar Posts

Leave a Reply