RDP – ‘Really Do Patch’

With the release of security notice CVE 2019-0708 on the 14th of May 2019, a sudden increase in port 3389 scanning on our external honeypot as can be seen from the image below.

So far I have seen that there are more than 1 million IP addresses exposed to the Internet that are vulnerable to “BlueKeep” exploit.

If we look at victimology, we need to understand the reason and also look at the source of the attacks. As we can see from the image below, Russia is the largest ‘culprit’ just after the exploit was made known. As a low-level cyber-war is taking place under our noses, we may have been compromised without realizing it. It is also said that a system compromise is normally detected after 150 days. I have worked on a breach that has been active for more than 240 days.

RDP – Attacks by Country

The following image to me is a bit more worrying as a very small percentage on the left diagram is ‘anonymizer’. A source using an anonymizer may be a more sophisticated attacker which may have tools to exploit your system. The problem with a system that has been breached, it still stays breached after you apply the patch.

RDP – Attack Source Reputation

As a CIO/CSO of your organization, you should have a handle on the assets internal as well as external facing. Many companies are allowing for RDP (Terminal Services), TCP 3389 to be accessible from the Internet which in fact should not be allowed. It is a high risk to the organisation and usually, I do not find any logging and monitoring on such systems.

If you need access to any system, this should be done via a secure VPN with a proper authentication solution such as a 2FA (Two-Factor-Authentication) scheme.

It is time to do a system check!