Over Four Million Windows PCs Vulnerable Through RDP

In the years before I became a cybersecurity journalist, I was a remote tech support agent for Windstream. Our job was to resolve any sort of problems that could possibly be fixed via remote support or over the phone.

Interestingly enough, we didn’t use Microsoft’s proprietary Remote Desktop Connection application, which uses Windows Remote Desktop Protocol (RDP) on TCP port 3389. We used LogMeIn Rescue, which uses web ports 80 and 443, but mainly the latter. I’m sure there are organizations which use RDP, but I’ve never used it.

Unless you specifically use RDP, the firewalls on your Windows endpoint should probably block port 3389. If the port has to be used, your security infrastructure should at least be watching it carefully. Cyberattacks through RDP can result in a hostile party completely taking over your Windows client!

Why Windows Users Should Care

Here’s the case in point that should worry Windows users. RDP is disabled by default in all client and server Windows versions that support the protocol. Nonetheless, a Sonar study conducted by Rapid7 discovered about 11 million Windows endpoints with port 3389 open, with 4.1 million of those “RDP speaking of some manner or another.” Ouch! Considering connecting to a Windows machine via RDP means an attacker can see a target’s monitor output and provide mouse and keyboard input, that’s pretty scary.

The study also mentions that if port 3389 is vulnerable on a client, they aren’t applying even the basic firewall rules in Windows Firewall or access control lists. An information gathering operation that finds port 3389 open on a Windows client can be interpreted by an attacker as a flag that says, “this one’s gonna be easier than stealing candy from a baby!”

The Shadow Brokers leak in April not only contained EternalBlue (Read more...)

This is a Security Bloggers Network syndicated blog post authored by Kim Crawley. Read the original post at: Cylance Blog