Cybersecurity Threat Advisory 0006-21: Threat Actors Abusing Windows RDP Servers
The RDP service for Windows devices operating on UDP port 3389 can currently be used in an amplified attack resulting in the potential DDoS of a target. A system which is either involved in or the target of an attack such as this could experience partial or total degradation in usability. It is recommended that RDP services be available exclusively via VPN services, or if that is impossible RDP via UDP port 3389 should be blocked.
Technical Detail & Additional Information
WHAT IS THE THREAT?
The vulnerability exists in the Remote Desktop Protocol (RDP) service for Microsoft Windows which, when enabled on UDP port 3389, can be used to launch UDP reflection/amplification attacks. This means that an attacker can amplify a low amount of input into a Distributed Denial of Service (DDoS) attack. By doing so, the attacker can direct an inordinately large amount of “junk” traffic to a destination of their choosing. This can result in partial or total loss of function for the device(s) that are affected.
WHY IS IT NOTEWORTHY?
A DDoS, while a relatively rudimentary cyber threat, can still provide extensive pain to both the attacker’s target and the devices being used as part of the attack. NetScout, who originally released the report of this vulnerability, has detected over 33,000 abusable Windows RDP servers to date. This vulnerability is also noteworthy through the lens of general RDP security. At SKOUT, we have seen several compromises recently that have stemmed from improper security posture when it comes to RDP services. RDP is a very common attacker vector in many compromises, and if not properly secured it could result in a breach by something as simple as a brute force attack. It is also not uncommon for attacks like these to be offered as a service by threat actors, leasing their botnet out to perform these attacks for the highest bidder.
WHAT IS THE EXPOSURE OR RISK?
If UDP port 3389 is not properly secured or if RDP is not positioned behind a VPN concentrator, it could result in significant degradation of services if targeted by a DDoS attack. While the exact nature of the degradation depends on the criticality of the target, a device being rendered partially or totally unusable due to an attack can represent a threat. This can be particularly damaging to a brand if their publicly available infrastructure (such as websites or web shops) is taken offline regularly or for extended periods of time. Also, if the organization operates as a service, an inability to perform said service could also reflect negatively on the organization.
WHAT ARE THE RECOMMENDATIONS?
The recommendations for this vulnerability are relatively straightforward. NetScout has recommended that any organization that can do so should make their RDP services available exclusively via VPN services, as such a configuration would protect them from this attack. If this is not possible or not feasible, the secondary recommendation is to disable RDP via UDP port 3389. However, it is important to note that if your organization utilizes RDP via UDP port 3389 this will prevent legitimate access as well.
For more in-depth information about the recommendations, please visit the following links:
If you have any questions, please contact our Security Operations Center.