There are active attack campaigns as of October 2020 targeting RDP servers without multi-factor authentication enabled.

Recent assessments:

zeroSteiner at October 09, 2020 6:36pm UTC reported:

Over the past couple of years (2018-2020) attacks against RDP have become more and more common. Recent improvements in attacker-related tooling can be contributed to generally available and mature projects targeting RDP and a number of remotely exploitable vulnerabilities being disclosed.

Memory Corruption Flaws

One of the best examples of this is CVE-2019-0708 (AKA BlueKeep) which was an unauthenticated, remotely exploitable use-after-free in RDP. This particular vulnerability was able to be developed to yield semi-reliable code execution and is widely utilized by attackers. Following this, CVE-2019-1182 (AKA DejaBlue) was discovered as well. This particular bug was a heap corruption within the server’s dynamic channel handling. While this vulnerability has not to this date had exploitat code released, it also contributed to the popularity of RDP vulnerability research in 2019.

Why RDP As An Attack Surface?

Regardless of code execution-type vulnerabilities, RDP is an attractive attack surface for the following reasons:

• It’s commonly accessible internally and relatively accessible externally

• It’s common that non-administrative users can authenticate to it, offering an initial foothold to attackers

• The service can yield version information about the host operating system

• Established sessions can be hijacked using publicly documented tools techniques and procedure (TTPs)

• In addition to offering a graphical interface to the desktop session, it can also be used to mount drives and transfer files

When compared to an interface such as SMB for the purpose of lateral movement, RDP offers a much larger degree of freedom for the attacker. Using SMB, attackers are able to use a small number of techniques to achieve code execution such as PSexec. Alternatively, RDP through it’s graphical interface and file transfer capabilities offers attackers near limitless possibilities. This number of possibilities directly improves the attackers evasion capabilities as they can easily adapt and shift techniques that are blocked through whatever sort of endpoint protection maybe present. Furthermore, SMB as an attack surface is very well know and widely documented. For those reasons, and the fact that there are choke points from an attacker workflow perspective, there are mature defenses and controls in place (such as event monitoring) that are either not applicable to or are less effective when compared to RDP.

Assessed Attacker Value: 5
Assessed Attacker Value: 5Assessed Attacker Value: 5