Attacker activity
Rapid7 Labs has observed a significant uptick in malicious RDP activity since the release of CVE-2019-0708 (A.K.A. “BlueKeep”).
Figure 1 shows the total daily connections from known, non-benign sources. Current levels of malicious RDP activity are levels unseen since Rapid7 Labs deployed Project Heisenberg back in 2015 and are well above the levels seen at this same time last year.
There were spikes just before the release of the CVE from both known adversarial internet IPv4 ranges and new sources that have a scanning profile consistent with nation state vulnerability assessment activity (those are not marked as “benign”).
Figure 2 shows the daily unique sources. The spikes are related to the previously mentioned activity and are now a “new normal” for daily unique source activity.
There are three profiles to this RDP activity:
Inventory scans, where attackers are taking stock of where RDP is on the internet and what flavor of RDP is there. Presently, Rapid7 Labs Project Sonar sees just under a million non-NLA RDP endpoints and over 3 million NLA endpoints on the default RDP port (3389) as of the latest July 2019 RDP studies. The spikes tend to be associated with inventory scans, but not all spikes are inventory-related.
Traditional RDP exploits; while not nearly as profound, since new attackers have established an inventory we see them trying to use older exploits for older flaws.
Credential stuffing; we’re used to seeing credential stuffing attacks but not nearly at these levels. The ac ..
Support the originator by clicking the read the rest link below.
