Millions of ports are being left open online, and many of these are being exposed to potential attackers through the remote desktop protocol (RDP).

An internetwide scan by researchers at Rapid7 discovered that there were more than 11 million devices with open 3389/TCP endpoints. More than 4.1 million of these open ports were using the protocol to communicate in one form or another.

An Ongoing Risk

RDP is a proprietary protocol from Microsoft that gives users the opportunity to access a graphical interface so they can control computers over a network remotely. Support for the protocol has been a feature in almost every version of the Windows operating system (OS) since the introduction of Windows NT.

Its strengths make it a very popular management tool, but it is also a popular focus for cybercriminals. Microsoft has published 20 security updates for the protocol since 2002 and as many as 24 individual vulnerabilities, Rapid7 reported. Newer versions require network level authentication by default, which acts as a boon to security.

However, the protocol is often exposed in internal networks due to its ability to simplify administration and support issues. Its popularity to attackers was demonstrated in June last year when Kaspersky Lab researchers found a cybercriminal trading platform called xDedic that was selling access to more than 70,000 compromised RDP servers.

How Researchers Investigated RDP

Rapid7 researchers were keen to discover which protocols were putting potentially open endpoints at risk. The firm used its Sonar research tool and a series of scans, connections and exchanges to analyze the number of systems that exposed RDP across the internet.

Researchers counted responses that appeared to come from RDP-speaking endpoints, including error messages from possible configuration issues and success messages. Rapid7 suggested that the final tally of 11 million endpoints — with 4.1 million speaking via the protocol — is shockingly high.

Rapid7 said any of the exposed endpoints are not protecting their services through basic firewall rules or access control lists. This revelation highlighted uncertainties as to whether a range of basic security practices are being applied to the endpoints.

What Can IT Managers Do to Respond?

The good news, if there is any, is that Rapid 7 discovered that more than 83 percent of the endpoints were willing to authenticate through the secure CredSSP connection. Researchers suggested that it was impressive that more than four-fifths of exposed endpoints were using one of the more secure protocols to authenticate sessions.

However, the human factor is still a big concern, reported Bleeping Computer. The publication said that these endpoints are often left exposed because administrators rely on credentials that are easy to guess or allow access without authentication. Many of the ports are not protected by a firewall and would be cannon fodder for a malware outbreak.

News of the potential exposure will come as a concern to IT managers at enterprises, where admins often use the protocol to deal with support concerns remotely. The key to success or failure will be how users deploy the protocol to connect. IT managers should use a combination of passwords, firewalls and access control lists to help reduce risk.

more from

From Ramnit To Bumblebee (via NeverQuest): Similarities and Code Overlap Shed Light On Relationships Between Malware Developers

A comparative analysis performed by IBM Security X-Force uncovered evidence that suggests Bumblebee malware, which first appeared in the wild last year, was likely developed directly from source code associated with the Ramnit banking trojan. This newly discovered connection is particularly interesting as campaign activity has so far linked Bumblebee to affiliates of the threat group ITG23 (aka the Trickbot/Conti…

X-Force 2022 Insights: An Expanding OT Threat Landscape

This post was written with contributions from Dave McMillen. So far 2022 has seen international cyber security agencies issuing multiple alerts about malicious Russian cyber operations and potential attacks on critical infrastructure, the discovery of two new OT-specific pieces of malware, Industroyer2 and InController/PipeDream, and the disclosure of many operational technology (OT) vulnerabilities. The OT cyber threat landscape is expanding dramatically and OT…