{"id":24197,"date":"2024-03-20T11:22:40","date_gmt":"2024-03-20T19:22:40","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2024\/03\/20\/news-17927\/"},"modified":"2024-03-20T11:22:40","modified_gmt":"2024-03-20T19:22:40","slug":"news-17927","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2024\/03\/20\/news-17927\/","title":{"rendered":"Remote Desktop Protocol: Exposed RDP (is dangerous)"},"content":{"rendered":"<p><strong>Credit to Author: Angela Gunn| Date: Wed, 20 Mar 2024 16:16:34 +0000<\/strong><\/p>\n<div class=\"entry-content lg:prose-lg mx-auto prose max-w-4xl\" width=\"100%\" height=\"420\">\n<p><span data-contrast=\"none\">I<\/span><span data-contrast=\"auto\">s it honestly so bad to expose a server with RDP to the internet? In order to find out, we did just that.<\/span><span data-ccp-props=\"{&quot;335559739&quot;:360}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">For science, we stood up a server, exposed RDP to the internet, and walked away for 15 days. When we came back, we found out that login attempts started in <\/span><i><span data-contrast=\"auto\">less than one minute<\/span><\/i><span data-contrast=\"auto\"> from the moment we exposed the port. Even if you&#8217;re thinking about \u201ctemporarily\u201d exposing a server to the internet with RDP for someone to remotely access it, those unwanted brute force attempts roll in quickly.<\/span><span data-ccp-props=\"{&quot;335559739&quot;:360}\">\u00a0<\/span><\/p>\n<p><span class=\"embed-youtube\" style=\"text-align:center; display: block;\"><iframe loading=\"lazy\" class=\"youtube-player\" width=\"100%\" height=\"420\" src=\"https:\/\/www.youtube.com\/embed\/XyWnKaLwmkQ?version=3&#038;rel=1&#038;showsearch=0&#038;showinfo=1&#038;iv_load_policy=1&#038;fs=1&#038;hl=en-US&#038;autohide=2&#038;wmode=transparent\" allowfullscreen=\"true\" style=\"\" sandbox=\"allow-scripts allow-same-origin allow-popups allow-presentation allow-popups-to-escape-sandbox\" frameborder=\"0\"><\/iframe><\/span><\/p>\n<p><span data-contrast=\"auto\">Digging deeper, we compiled statistics on the usernames most commonly used to attempt access. Unsurprisingly, \u201cadministrator\u201d and variants of that word\/title took the top three spots. On our exposed system, \u201cadministrator\u201d alone accounted for 866,862 failed login attempts over those 15 days.\u00a0<\/span><span data-ccp-props=\"{&quot;335559739&quot;:360}\">\u00a0<\/span><\/p>\n<p><i><span data-contrast=\"auto\">Figure 1: The ten usernames most often attempted in brute-force attacks on our guinea-pig RDP server over 15 days; \u201cescaner\u201d and \u201cusuario\u201d are respectively \u201cscanner\u201d and \u201cuser\u201d in Spanish<\/span><\/i><span data-ccp-props=\"{&quot;335559739&quot;:360}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">To be sure, the high number of attempts on that specific account name was not surprising; in most of the cases the Sophos IR team has handled in which exposed RDP was the initial access vector, the attacker managed to obtain access by brute-forcing the administrator account. Worse, we regularly see that the organizations that expose RDP to the internet quite often have poor password policies, which makes it easy for ransomware groups to brute force their way into those accounts.\u00a0<\/span><span data-ccp-props=\"{&quot;335559739&quot;:360}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">Beyond these attempts, in total we saw that 137,500 unique usernames were attempted over the course of 15 days, with scanning activity originating from 999 unique IP addresses. In total, we saw just over 2 million failed login attempts in the 15 days. So, to answer the original question: YES. There is a vast amount of scanning activity that seeks open RDP. It\u2019s still a common access vector. And it\u2019s definitely dangerous to expose RDP to the internet.\u00a0<\/span><span data-ccp-props=\"{&quot;335559739&quot;:360}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">By default, RDP is exposed on port 3389. What happens when it\u2019s exposed on a non-default port? Unfortunately, it does not matter; scanners and ransomware groups still easily identify that an RDP port is open and listening, no matter how obscure the port number is. To illustrate that, we did a simple search on censys.io, seeking RDP listening on ports other than 3389.<\/span><span data-ccp-props=\"{&quot;335559739&quot;:360}\">\u00a0<\/span><\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/RDP-2-fun-with-censys.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-954256\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/RDP-2-fun-with-censys.png\" alt=\"A screen capture of Censys shows that exposed RDP ports are easily found, even at nonstandard addresses\" width=\"799\" height=\"689\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/RDP-2-fun-with-censys.png 973w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/RDP-2-fun-with-censys.png?resize=300,259 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/RDP-2-fun-with-censys.png?resize=768,662 768w\" sizes=\"auto, (max-width: 799px) 100vw, 799px\" \/><\/a><\/p>\n<p><i><span data-contrast=\"auto\">Figure 2: As seen on Censys, \u201chiding\u201d exposed RDP on a nonstandard port is not remotely effective<\/span><\/i><span data-ccp-props=\"{&quot;335559739&quot;:360}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">As the image shows, security through obscurity doesn\u2019t work any better than security through ephemerality \u2013 having the port open \u201ctemporarily\u201d &#8212; did in the first example. Brute force attempts began less than one minute from when the RDP port opened.<\/span><span data-ccp-props=\"{&quot;335559739&quot;:360}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">So what\u2019s an administrator to do? For access, there are much more secure methods to allow remote access to an environment \u2013 for instance, a VPN with MFA. (Recommendations for individual enterprises are beyond the scope of this article, but know that solutions exist.) As for investigators, in the next part of this series we\u2019ll look at multiple queries that can enhance understanding of attack specifics.<\/span><span data-ccp-props=\"{&quot;335559739&quot;:360}\">\u00a0<\/span><\/p>\n<p><strong>Remote Desktop Protocol: The Series<\/strong><\/p>\n<p>Part 1: Remote Desktop Protocol: Introduction (<a href=\"https:\/\/news.sophos.com\/en-us\/2024\/03\/20\/remote-desktop-protocol-the-series\/\">post<\/a>, <a href=\"https:\/\/youtu.be\/dmzfBSs02lA\">video<\/a>)<br \/> Part 2: Remote Desktop Protocol: Exposed RDP (is dangerous) ([you are here], <a href=\"https:\/\/youtu.be\/XyWnKaLwmkQ\">video<\/a>)<br \/> Part 3: RDP: Queries for Investigation (<a href=\"https:\/\/news.sophos.com\/en-us\/2024\/03\/20\/remote-desktop-protocol-queries-for-investigation\/\">post<\/a>, <a href=\"https:\/\/youtu.be\/-Vo_Gok59WE\">video<\/a>)<br \/> Part 4: RDP Time Zone Bias (<a href=\"https:\/\/news.sophos.com\/en-us\/2024\/03\/20\/remote-desktop-protocol-how-to-use-time-zone-bias\/\">post<\/a>, <a href=\"https:\/\/youtu.be\/gaq46NUkOyA\">video<\/a>)<br \/> Part 5: Executing the External RDP Query (<a href=\"https:\/\/news.sophos.com\/en-us\/2024\/03\/20\/remote-desktop-protocol-executing-the-external-rdp-query\/\">post<\/a>, <a href=\"https:\/\/youtu.be\/hGKvzkb47JA\">video<\/a>)<br \/> Part 6: Executing the 4624_4625 Login Query (<a href=\"https:\/\/news.sophos.com\/en-us\/2024\/03\/20\/remote-desktop-protocol-executing-the-4624_4625-login-query\/\">post<\/a>, <a href=\"https:\/\/youtu.be\/YpvAnSEk8HU\">video<\/a>)<br \/> GitHub query repository: <a href=\"https:\/\/github.com\/SophosRapidResponse\/OSQuery\/tree\/main\/Artefacts\/Logins\">SophosRapidResponse\/OSQuery<br \/> <\/a>Transcript repository: <a href=\"https:\/\/github.com\/sophoslabs\/video-transcripts\">sophoslabs\/video-transcripts<br \/> <\/a>YouTube playlist: <a href=\"https:\/\/www.youtube.com\/playlist?list=PLW9m2f_dtUOVVita1zUhzv4T-VSzxUAUZ\">Remote Desktop Protocol: The Series<\/a><\/p>\n<\/p><\/div>\n<p><a href=\"https:\/\/news.sophos.com\/en-us\/2024\/03\/20\/remote-desktop-protocol-exposed-rdp-is-dangerous\/\" target=\"bwo\" >http:\/\/feeds.feedburner.com\/sophos\/dgdY<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/rdp-hero-02.jpg\"\/><\/p>\n<p><strong>Credit to Author: Angela Gunn| Date: Wed, 20 Mar 2024 16:16:34 +0000<\/strong><\/p>\n<p>Is it really that risky to expose an RDP port to the internet? What if you change the default port? What if it\u2019s just for a little while? The data answers, loud and clear <\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10378,10377],"tags":[12657,27362,25038,18324,24552,27030],"class_list":["post-24197","post","type-post","status-publish","format-standard","hentry","category-security","category-sophos","tag-incident-response","tag-incident-response-tools","tag-mdr","tag-rdp","tag-security-operations","tag-sophos-x-ops"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/24197","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=24197"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/24197\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=24197"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=24197"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=24197"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}