In the years before I became a cybersecurity journalist, I was a remote tech support agent for Windstream. Our job was to resolve any sort of problems that could possibly be fixed via remote support or over the phone.
Interestingly enough, we didn't use Microsoft's proprietary Remote Desktop Connection application, which uses Windows Remote Desktop Protocol (RDP) on TCP port 3389. We used LogMeIn Rescue, which uses web ports 80 and 443, but mainly the latter. I'm sure there are organizations which use RDP, but I've never used it.
Unless you specifically use RDP, the firewalls on your Windows endpoint should probably block port 3389. If the port has to be used, your security infrastructure should at least be watching it carefully. Cyberattacks through RDP can result in a hostile party completely taking over your Windows client!
Why Windows Users Should Care
Here's the case in point that should worry Windows users. RDP is disabled by default in all client and server Windows versions that support the protocol. Nonetheless, a Sonar study conducted by Rapid7 discovered about 11 million Windows endpoints with port 3389 open, with 4.1 million of those “RDP speaking of some manner or another.” Ouch! Considering connecting to a Windows machine via RDP means an attacker can see a target's monitor output and provide mouse and keyboard input, that's pretty scary.
The study also mentions that if port 3389 is vulnerable on a client, they aren't applying even the basic firewall rules in Windows Firewall or access control lists. An information gathering operation that finds port 3389 open on a Windows client can be interpreted by an attacker as a flag that says, “this one's gonna be easier than stealing candy from a baby!”
The Shadow Brokers leak in April not only contained EternalBlue, which was used in WannaCry ransomware, but also EsteemAudit. The EsteemAudit exploit uses an inter-chunk heap overflow to acquire full remote access to a target.
When Microsoft did an unusual post-support period patch to fix the EternalBlue SMB vulnerability in March, they didn't release a patch for the vulnerability that EsteemAudit exploits until June.
Patches Released Doesn’t Equal Patches Installed
Considering how WannaCry was able to attack many Windows clients worldwide in May, and the NotPetya variants were able to use the same EternalBlue exploit in June, when Microsoft releases a patch it doesn't mean that all applicable Windows clients have installed it. Millions of Windows machines are somehow not installing all of the patches that Microsoft develops.
That's exactly what Rapid7's findings illustrate. Not only Windows clients on the internet not installing all of their available security patches, they also don't even have basic Windows Firewall rules, let alone an advanced third party firewall.
28.8% of the exposed RDP endpoints Rapid7 found are in the United States, 17.7% are in China, and 4.3% are in Germany. What's more alarming is the organizations that own the IP addresses that they found vulnerable- 7.73% were from Amazon, 6.8% were from Alibaba, 4.32% were from China Telecom, and 2.07% were from Comcast. Microsoft has 4.96% of those IPs. Wow.
This should be a wake-up call to organizations worldwide. Make sure you close or otherwise secure port 3389! While you're at it, make sure your Windows clients and servers have all of the security patches that Microsoft has made available.
