Millions of ports are being left open online, and many of these are being exposed to potential attackers through the remote desktop protocol (RDP).

An internetwide scan by researchers at Rapid7 discovered that there were more than 11 million devices with open 3389/TCP endpoints. More than 4.1 million of these open ports were using the protocol to communicate in one form or another.

An Ongoing Risk

RDP is a proprietary protocol from Microsoft that gives users the opportunity to access a graphical interface so they can control computers over a network remotely. Support for the protocol has been a feature in almost every version of the Windows operating system (OS) since the introduction of Windows NT.

Its strengths make it a very popular management tool, but it is also a popular focus for cybercriminals. Microsoft has published 20 security updates for the protocol since 2002 and as many as 24 individual vulnerabilities, Rapid7 reported. Newer versions require network level authentication by default, which acts as a boon to security.

However, the protocol is often exposed in internal networks due to its ability to simplify administration and support issues. Its popularity to attackers was demonstrated in June last year when Kaspersky Lab researchers found a cybercriminal trading platform called xDedic that was selling access to more than 70,000 compromised RDP servers.

How Researchers Investigated RDP

Rapid7 researchers were keen to discover which protocols were putting potentially open endpoints at risk. The firm used its Sonar research tool and a series of scans, connections and exchanges to analyze the number of systems that exposed RDP across the internet.

Researchers counted responses that appeared to come from RDP-speaking endpoints, including error messages from possible configuration issues and success messages. Rapid7 suggested that the final tally of 11 million endpoints — with 4.1 million speaking via the protocol — is shockingly high.

Rapid7 said any of the exposed endpoints are not protecting their services through basic firewall rules or access control lists. This revelation highlighted uncertainties as to whether a range of basic security practices are being applied to the endpoints.

What Can IT Managers Do to Respond?

The good news, if there is any, is that Rapid 7 discovered that more than 83 percent of the endpoints were willing to authenticate through the secure CredSSP connection. Researchers suggested that it was impressive that more than four-fifths of exposed endpoints were using one of the more secure protocols to authenticate sessions.

However, the human factor is still a big concern, reported Bleeping Computer. The publication said that these endpoints are often left exposed because administrators rely on credentials that are easy to guess or allow access without authentication. Many of the ports are not protected by a firewall and would be cannon fodder for a malware outbreak.

News of the potential exposure will come as a concern to IT managers at enterprises, where admins often use the protocol to deal with support concerns remotely. The key to success or failure will be how users deploy the protocol to connect. IT managers should use a combination of passwords, firewalls and access control lists to help reduce risk.

More from

New Attack Targets Online Customer Service Channels

An unknown attacker group is targeting customer service agents at gambling and gaming companies with a new malware effort. Known as IceBreaker, the code is capable of stealing passwords and cookies, exfiltrating files, taking screenshots and running custom VBS scripts. While these are fairly standard functions, what sets IceBreaker apart is its infection vector. Malicious actors are leveraging the helpful nature of customer service agents to deliver their payload and drive the infection process. Here’s a look at how IceBreaker…

Operational Technology: The evolving threats that might shift regulatory policy

Listen to this podcast on Apple Podcasts, Spotify or wherever you find your favorite audio content. Attacks on Operational Technology (OT) and Industrial Control Systems (ICS) grabbed the headlines more often in 2022 — a direct result of Russia’s invasion of Ukraine sparking a growing willingness on behalf of criminals to target the ICS of critical infrastructure. Conversations about what could happen if these kinds of systems were compromised were once relegated to “what ifs” and disaster movie scripts. But those days are…

Cybersecurity 101: What is Attack Surface Management?

There were over 4,100 publicly disclosed data breaches in 2022, exposing about 22 billion records. Criminals can use stolen data for identity theft, financial fraud or to launch ransomware attacks. While these threats loom large on the horizon, attack surface management (ASM) seeks to combat them. ASM is a cybersecurity approach that continuously monitors an organization’s IT infrastructure to identify and remediate potential points of attack. Here’s how it can give your organization an edge. Understanding Attack Surface Management Here…

Six Ways to Secure Your Organization on a Smaller Budget

My LinkedIn feed has been filled with connections announcing they have been laid off and are looking for work. While it seems that no industry has been spared from uncertainty, my feed suggests tech has been hit the hardest. Headlines confirm my anecdotal experience. Many companies must now protect their systems from more sophisticated threats with fewer resources — both human and technical. Cobalt’s 2022 The State of Pentesting Report found that 90% of short-staffed teams are struggling to monitor…