Millions of exposed RDP on the Internet

Yesterday (14th May 2019) Microsoft released patches against a new vulnerability (CVE-2019-0708) that affects RDP. This bug is easy to exploit and requires no user interaction. This affects Win 7, Server 2008 and 2008, Win 2003 and XP.

In the last 30 days we were able to connect to almost ~2.6M devices with RDP (without Network Layer Authentication).

ports-30days

RDP-1-1

How do we detect?

BinaryEdge gathers many types of data from multiple sources. We regularly scan the public Internet to detect what organizations are exposing in a global scale. This data is used by many organizations to secure their networks and also of their clients.

Remote Desktop software provides a user with a graphical interface to connect to another computer over a network connection. It’s a common tool used by organizations and individuals to access a shared environment or when working remote. Today, we are going to take a look at the exposure of Remote Desktops on the internet, more specifically RDP, a proprietary protocol developed by Microsoft;

Important disclaimer:
BinaryEdge only looks at open Remote Desktop. Those devices that request a password are completely skipped and no passwords are even tested. No further action is taken on the remote desktop besides the screenshot.

And when scanning the public Internet we find that there are many critical systems that are accessible with Remote Desktops.

Looking at the most commonly used ports for RDP, we have detected millions of endpoints exposing those ports (this doesn’t mean they are all running RDP, but it’s more probable).

rdp-ports-30days
Table 1: Open ports detected in the last 30 days

From these, we try to connect to the RDP without Network Layer Authentication (NLA); If possible we perform a screenshot and run that image through our image processing pipeline. This pipeline analyses the images and also extracts any text via OCR. (When the RDP as Network Layer Authentication we are unable to connect.)

This then allows our clients to perform a text search against the images. For example, they can search for their company name and get a list of all remote desktops that contain their name.

How to detect if your organization as Remote Desktops exposed?

You can use our system to see if your orgnization is exposing any Remote Desktop that might be affected by this vulnerability. To do so, access https://app.binaryedge.io/services/images and perform some of the following searches:

  • Text search, just write your organizations name, or whatever word you want to detect;
  • If you know your organizations networks, you can use the keys ip, asn, or as_name to filter our those results, some examples:
    • ip:"70.82.157.254/24"
    • asn:5769
    • as_name:amazon


More information

Here is a talk we did at BSides Lisbon 2016 talking about some of the analysis we do on Images

https://www.youtube.com/watch?v=yn3GO_wLeXE

Want to know more, get in touch with us via info@binaryedge.io or join our Public Slack Group.

PROMO: User promocode HELLOWORLD for 50% off for 6 months on your subscription.