127% increase in exposed RDPs due to surge in remote work

Posted by Asaf Aprozper on March 30, 2020 1:12:18 PM EDT

Remote access channels are one of the preferred attack vectors for criminals trying to obtain access to organizations’ internal networks. Recently, various vulnerabilities in enterprise VPNs were exploited in the wild during attack campaigns by malicious actors and nation-states.

Attacks on exposed remote desktop protocols (RDP) are no news either. Such attacks have been making headlines for several years now. The attack mechanism is grossly known and various exploits are published from time to time, making the exploitation easy.

The unprecedented surge in remote work due to the COVID-19 pandemic has led to an increase in RDP usage. As a side effect of the need to provide remote access quickly and at scale, many RDPs are being misconfigured and left exposed to the internet.

At the time of writing this article, Reposify’s external attack surface management platform has detected more than 4.7 million RDPs that are exposed to the internet and are at risk of potential attacks. On some days there was 127% increase in exposed RDPs.

Exposed RDPs Covid -19

 When examining the organizations that own the IPs with exposed RDP endpoints, things become clearer. The vast majority of these organizations are well known cloud, virtual, or physical hosting providers where remote access to a Windows machine is a frequent necessity.

Exposed RDP by ISP Ownership-Reposify

This is not surprising that most of the exposed RDPs are hosted in the cloud given the fact that IT teams have much less visibility when it comes to their cloud assets.  Users from various departments within an organization are able to set up RDP instances in the cloud without IT teams’ awareness, something which is unlikely to happen in cases of RDPs in internal networks,where there are firewalls and stricter procedures.

A chronicle of a cyber-attack foretold

It all starts with a RDP which is left exposed to the internet (typically on port 3389). It can be easily detected by hackers using online port scanners in search for unsecured RDP services. Once found, attackers can pick and choose between buying stolen RDP login credentials on darknet marketplaces, leverage an abundance of login brute-forcing tools to crack it open or using known exploits from the wild such as BlueKeep and other vulnerabilities.

Once in, the damages that attackers can cause vary based on their goals but one thing is sure, they can easily gain access to the entire internal network of the target organization.

Microsoft recently published a blog about the PARINACOTA group, which is currently active and typically brute forces its way into servers that have Remote Desktop Protocol exposed to the internet affecting between three to four organizations every week with. Last year approximately 1.5 million exposed Remote Desktop Protocol servers were attacked by a botnet named GoldBrute which also used brute-force methods.

And the cost? a steep one. In 2018, Hancock Health hospital was forced to pay over $50K in ransom to regain access to critical data that was encrypted after the hospital server running RDP services was compromised and used as an entry point into the internal network.

A recent breach-briefing report published by Beazley Group indicates that poorly secured remote desktop protocols are one of the two most common attack vectors through which ransomware is deployed, the other one being phishing emails. This finding is not surprising given the long chain of ransomware discovered in recent years using RDP as the infection vector including SAMSAM, Dharma, Matrix, Bitpaymer, Ryuk, Crysis, Nemty and the newly discovered Nefilim which seems to also be spreading mostly thought exposed RDPs. 

So when the risks are known and the stakes are high, how come so many RDPs are still left exposed to the internet?

There are many reasons which can lead to a RDP becoming exposed to the public internet. In some cases, it may become accessible deliberately as attackers manage to convince unwary users to enable the RDP so that “remote support” can be provided. A more common reason is simply due to the fact that teams fail to properly secure their RDP services against unauthorized access. Here are a few examples that represent the daily reality in the vast majority of organizations:


Firewall rules can be created to limit Remote Desktop access for specific IP addresses. However, a simple error in the firewall configuration process can result in a RDP port becoming exposed to the internet. Another example of a configuration step which is not recommended is disabling the network-level authentication. Disabling it can result in the exposure of a RDP login and the risk of becoming vulnerable to BlueKeep.

Skipping White-listing

RDP provides a quick and simple way for employees to access their desktops. Since the IP addresses of remote users change very often, many times, no white-listing of authorized users is done. In some cases, it is not feasible for IT teams to keep manually updating these frequent changes in IP addresses, especially now when most, if not all the employees are connecting from home.

Unknown RDPs

RDPs set up by employees without IT teams’ awareness are another source of unwanted exposure. If Lauren from finance just opened a Remote Desktop Protocol to set up a connection to her work endpoint, IT will most likely have no idea about it. If no GPO was configured then each and every employee could potentially do so.

6  steps for reducing the risks of an attack on RDPs

  1. Ensure RDPs are not accessible from the internet. Block external connections to your servers on port 3389 on your organization's firewall.
  2. Access to RDP should be available solely via a virtual private network (VPN) and not from the open internet. In addition, the VPN should be protected by multi-factor authentication and users should be encouraged to use complex passwords to reduce the chance of successful brute-force attacks.
  3. Apply IP geolocation blocking on your VPNs gateways. IP addresses white-listing, can be added for specific admin users that are allowed to connect via RDP.
  4. Enable Network Level Authentication (NLA).
  5. If possible, consider placing RDP servers behind a DMZ or other restricted area of the network and limit the number of services which can be reached within the internal network.
  6. Change GPOs to define shorter timeouts sessions and the maximum amount of time any single session can be active.

RDP is a useful tool, especially now when the demand for remote access is higher than ever before, but too many organizations are leaving RDP exposed to the internet, making it susceptible to exploitation by malicious actors. It is crucial for organizations to gain visibility into which RDP servers they have running across all environments and whether they comply with the security guidelines.

Want to make sure you have complete visibility of all your organization’s RDPs? Sign up for a free reposify account and get instant visibility into all internet facing assets which are currently exposed. Discover exposed RDPs, unpatched vulnerable VPNs, exposed QA & Dev environments and many more uknonw risks.

Check your exposures now, it's free.

Topics: "Respoify IoT Scanner", "Remote Access", "Exposed RDP", "Remote Work"

Is Your Enterprise VPN Secure?

Posted by Yaron Tal on March 18, 2020 5:24:56 AM EDT

In these days of uncertainty, while many, if not most of us are at home trying to balance working remotely and family life, DevOps, IT & security teams are doubling down on their efforts to provide the technical support needed to ensure business continuity. The task at hand presents a unique challenge which for many organizations is uncharted. 

One of the topics that is currently on every IT team's to-do list is ensuring VPNs are running smoothly and connectivity is scaled up to match the heightened traffic and access requests.  Enterprise VPNs are important as they allow users a secure remote connection into the organization’s internal network thus extending the private network across a public one. In essence, VPNs protect corporate assets and sensitive data from internet exposure, making sure that anyone intercepting the encrypted data will not be able to read it.


VPNs are and should be exposed to the internet, but what happens if they themselves become vulnerable? 

If a VPN server is compromised, attackers can easily infiltrate a company’s intranet and carry out a range of activities such as obtaining access to logs and files and executing malicious codes on the network among others. As a result, Enterprise VPN servers are lucrative targets that hackers are going after, and especially now, when so many users are depending on the ability to connect remotely in order to continue performing their work.


How easy is it to find exposed vulnerable VPNs on the internet? 

Exposed VPNs can be found with just a few clicks. Attackers use internet scanners to discover VPN servers that run on a vulnerable software version. Once detected, they leverage known vulnerabilities and off the shelf proof-of-concept codes that can be found online. Reposify’s internet scanners detected millions of VPNs servers currently exposed to the internet, of which thousands are unpatched and vulnerable.


What kind of VPN vulnerabilities exist out there?

Recently, multiple CVEs were released for several widely used VPN servers. In 2019 and 2020 there were several attacks in which these VPN vulnerabilities were exploited to infiltrate and plant backdoors in companies all over the world. These known vulnerabilities allow an attacker to login into the intranet and retrieve files , logs and cached passwords,  shut down the MFA and could allow remote code execution on the clients connecting to the compromised VPN server.


Here is a shortlist of the most recent CVE’s that were released for common VPN types:

Pulse Connect Secure:


  • CVE-2018-13379: Pre-auth arbitrary file reading
  • CVE-2018-13382: Allows an unauthenticated attacker to change the password of an SSL VPN web portal user.
  • CVE-2018-13383: Post-auth heap overflow. This allows an attacker to gain a shell running on the router.

Palo Alto Networks GlobalProtect Portal

  • CVE-2019-1579:  Unauthenticated remote attacker to execute arbitrary code.

Citrix NetScaler:

SonicWall VPN: (SonicWall SRA and SMA VPN servers)

  • CVE-2019-7481: Blind SQL injection vulnerability which can be exploited remotely.
  • CVE-2019-7482: Execute arbitrary commands with nobody privileges on the device.
  • CVE-2019-7483: Pre-authentication vulnerability.

How to reduce exposures and vulnerabilities in your VPNs?

The Cybersecurity and Infrastructure Security Agency (CISA) has released several mitigation steps that teams can follow in order to improve their VPNs security

  1. Ensure the latest software patches are installed on all your VPNs, network infrastructure devices, and other devices being used to remotely access work environments.  
  2. If during this review process, you discovered a VPN server that wasn't patched immediately after the release of a CVE, it is recommended to scan your entire internal network for any signs of compromise.
  3. If you suspect a VPN server was compromised, reset your authentication credentials associated with the affected VPN and accounts connecting through it.
  4. Implement multi-factor authentication (MFA) on all VPN connections to avoid brute force attacks against the login panel. If MFA cannot be implemented, encourage employees to use strong passwords. 
  5. Ensure IT security personnel test VPN limitations to prepare for mass usage and, if possible, implement modifications—such as rate limiting—to prioritize users that will require higher bandwidths.
  6. Prepare for the need to ramp up the following remote access security tasks: log review, attack detection, and incident response and recovery.




Topics: "Respoify IoT Scanner", "VPN Security", "Remote Access", "Pulse VPN"

Never Miss A Bit!

Stay looped in with the latest in cyber security. 

Sign up for our newsletter!

  • Tap into best practices and tips delivered to your inbox
  • Reveal new vulnerabilities and exposed asset trends
  • Discover external attack surface industry benchmarks
  • Learn about the latest Reposify news

Subscribe Here!

Recent Posts