I have noticed a surge in probe against the RDP service in the past 2 weeks. In August, a remote code execution (RCE) critical patch was released to fix an exploit related to CVE-2021-34535 which include a POC to exploit this vulnerability. This vulnerability is also affecting Microsoft Hyper-V Manager “Enhanced Session Mode” [5] and Microsoft Defender’s Application Guard (WDAG) [6]. According to Shodan [7], there are over 4.89M IPs with TCP:3389 listening and over 3.9M IPs with RDP listening on other ports but mainly on 3388 [8]. Beside TCP:3389, my honeypot logged mstshash probe against other port such as 21, 23, 80, 8000, 8080. 20211018-022140: 192.168.25.9:3389-92.38.172.22:5616 data [2021-10-30 08:42:54] [1558] [ftp_21_tcp 16145] [77.83.36.32:65158] recv: .../*......Cookie: mstshash=Administr Top 10 Usernames Top 10 Sources If using RDP, Microsoft provided the following information on "Security guidance for remote desktop adoption". [1] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31968 ----------- |
Guy 523 Posts ISC Handler Oct 30th 2021 |
Thread locked Subscribe |
Oct 30th 2021 8 months ago |
Why do people connect RD directly to the internet? In today's environment it is fairly straight forward to setup an OpenVPN server in conjunction with a pfsense firewall. Then you add a significant layer of security to your facilities that is difficult to peal away remotely.
|
Anonymous |
Quote |
Nov 5th 2021 7 months ago |
Sign Up for Free or Log In to start participating in the conversation!