| 22 Jun 2019 | ( words)

RDP and Bluekeep - not just 3389

A couple of weeks ago a new vulnerability that affects the RDP protocol was announced. This vulnerability was soon dubbed "Bluekeep" by @Gossithedog and has since been used widely in the industry.

At the time of this writing, multiple parties have now remote code execution using this vulnerability, which means they can directly get vulnerable machines to run programs or execute commands.

At BinaryEdge we constantly scan for RDP and had already seen and written about what the RDP numbers look like.

For Bluekeep, the always amazing Rob Graham launched a tool called rdpscan.

The way the BinaryEdge platform works, any piece of software that can consume IP addresses or CIDR's can, in minutes, be deployed as a module on our platform, so we decided to take a look at how many machines are vulnerable worldwide to Bluekeep.

Since this vulnerability has been out for a few days we expected to already find a lot of machines patched... this is what we found:

With rdpscan there are three main "states" as mentioned by Rob on his blog.

Vulnerable - machine was vulnerable to Bluekeep

Unknown - some type of error occurred

Safe - machine is not affected by Bluekeep

We first decided to look at our two main RDP ports, port 3389 and 3388

final_plot_with_logo-1

When looking at this data, we noticed that everyone was focused on port 3389, however 7366 machines on port 3388 shows that the presence of RDP in alternative ports is a possibility, and its important not to forget, those 7366 don't just represent 7366 machines that can be added to a botnet. What they represent is 7366 entry points to much larger networks of machines that can be infected.

So even if the number is not as big as the 709,407 machines found still vulnerable on 3389, they are still extremely dangerous.

Our clients always request that we give them as much visibility as into their exposure, so we knew that by just looking at the two ports, we were not giving them enough, thats when we decided, to take a look at all the 200 ports that we scan for the prevalence of RDP.

On the "alternative ports" (other ports that are not 3388,3389) we found over 93,000 more IP addresses exposing RDP to the internet. The following image shows the results of our testing with rdpscan on the top 10 ports:

final_plot_top10_with_logo

So what does the distribution look like on the alternative ports?

final_plot_altports_overall_with_logo

17,258 extra entry points into networks that can have hundreds of machines behind them.

Bluekeep is a serious vulnerability, organisations need to look into patching their servers faster so that a Wannacry or NotPetya scenario doesn't occur to them.

Hackers and other actors are already scanning for the presence of RDP in alternative ports.

At BinaryEdge as an internet data platform, we don't just have the capability to scan the internet but also to observe via ou sensor network what other actors are doing

By using the query

tags:RDP_SCANNER created_at:[2019-06-16 TO 2019-06-22]

on our sensors tab, we can see that even in just the last 7 days, there is a big distribution of ports being looked at by other actors.

rdp_sensors

Even though this image is only showing us general statistics, a plot of all ports that we observed being scanned for RDP on the last 7 days paints a picture about alternative ports being scanned:

final_plot_sensor_rdp_with_logo-1

This image shows two important facts:

1 - Pretty much every port from 1 to 65535 has received at some point in the last 7 days a scan for RDP.

2 - Actors are focusing a lot of their scanning efforts on ports very close to 3389 which is why we see the higher quantity of events represented as the vertical line with events ranging over 10.0000 and 20.0000.

When looking at the numbers of RDP servers exposed on alternative ports, we went ahead and added the alternative ports to our screenshotting and OCR pipeline, not just for RDP but also for VNC. Other services for which we have modules will also now be crawled for on alternative ports. That means elasticsearch, mongoDB, redis, mqtt etc... which will provide you with a lot more visibility and data.

So you can go ahead, login on app.binaryedge.io and search if your organisation is exposing RDP simply by typing the organisation name on the "Images" tab, if you are an enterprise client and are wondering if you have RDP exposed on an alternative port, you can launch your own realtime on demand scan on all ports on your range!