Cybersecurity Network Management IT and Network Support

Cybersecurity Threat Advisory: Threat Actors Abusing Windows RDP Servers

Mike Beagles
Mike Beagles February 4, 2021 2 min read

As part of our effort to inform our clients about potential and serious cybersecurity issues, MCP provides advisories about vulnerabilities and exploits that could threaten the operations of their critical communications networks. Sign up to receive these advisories in your inbox as soon as they are released.

This week there is a new critical alert that requires the mission-critical community’s immediate attention.

Advisory Overview

The Remote Desktop Protocol (RDP) service for Microsoft Windows devices operating on User Datagram Protocol (UDP) port 3389 can be used in an amplified attack, potentially resulting a distributed denial of service (DDoS) attack on a target. A system that is involved in, or is the target of, such an attack could experience partial or total degradation in usability. It is recommended that RDP services be available exclusively via virtual private network (VPN) services. If that is impossible, then RDP via UDP port 3389 should be blocked.

What is the threat?

The vulnerability exists in the RDP service for Windows, which, when enabled on UDP port 3389, can be used to launch UDP reflection/amplification attacks. This means that an attacker can amplify a low amount of input into a DDoS attack. By doing so, the attacker can direct an inordinately large amount of “junk” traffic to a destination of their choosing. This can result in partial or total loss of function for the devices that are affected.

Why is this noteworthy?

A DDoS attack, while a relatively rudimentary cybersecurity threat, still can cause extensive pain to both the attacker’s target and the devices being used as part of the attack. NetScout, which originally released the report of this vulnerability, has detected more than 33,000 abusable Windows RDP servers to date. This vulnerability is also noteworthy through the lens of general RDP security. Several compromises recently were observed that stemmed from improper security posture pertaining to RDP services. RDP is a very common attack vector in many compromises; if not properly secured, it could result in a breach by something as simple as a brute-force attack. It is common for attacks like these to be offered as a service by cyberattackers, leasing their botnet out to perform these attacks for the highest bidder.

What is the exposure?

If UDP port 3389 is not properly secured, or if RDP is not positioned behind a VPN concentrator, it could result in significant degradation of services if an entity is targeted by a DDoS attack. While the exact nature of the degradation depends on the criticality of the target, a device being rendered partially or totally unusable due to an attack can represent a threat. This can be particularly damaging to a brand if their publicly available infrastructure (e.g., websites) is taken offline regularly or for extended periods of time. Also, if the organization operates as a service, an inability to perform said service also could reflect negatively on the organization.

What are the recommendations?

The recommendations for this vulnerability are relatively straightforward. NetScout recommends that organizations should make their RDP services available exclusively via VPN services if possible, as such a configuration would protect them from this attack. If this is impossible or infeasible, the secondary recommendation is to disable RDP via UDP port 3389. However, it is important to note that if your organization utilizes RDP via UDP port 3389, this will prevent legitimate access as well.

Mike Beagles is MCP’s platform and service product manager and a certified Cisco CyberOps associate. He has more than 13 years of IT and cybersecurity experience. Mike can be emailed at MikeBeagles@MissionCriticalPartners.com.

Don't forget to share this post!

Mike Beagles
Mike Beagles
Mike has specialized experience with supporting public safety agencies by providing technical expertise, strategic planning and general consulting for new and innovative mission critical technologies as well as legacy solutions. Throughout his long-standing career, he has worked as a technical service manager and network engineer for several public safety software companies, as well as an IT manager with a mid-tier public safety 911/ CAD/RMS/Mobile software provider. His expertise runs deep in team and project management for large and small projects, which he has done for more than 12 years.

Related posts

Cybersecurity Network Management

Cybersecurity Threat Advisory: Apple iOS Zero-Day Vulnerabilities Exploited in Wild

February 12, 2021
Mike Beagles
Cybersecurity

Cybersecurity Threat Advisory: 'PrintNightmare' Zero-Day Vulnerability in Windows Print Spooler

July 13, 2021
Mike Beagles
Cybersecurity

Cybersecurity Threat Advisory: Black Basta Ransomware Group Threat

June 27, 2022
Mike Beagles