The KOVID 19 pandemic prompted many companies to offer their employees the opportunity to work remotely, in many cases on a global scale. The Remote Desktop Protocol (RDP), which enables communication with a remote system, is an important element in enabling remote working and remote access for employees to internal company assets. In order to maintain business continuity, it is likely that many organizations will quickly bring systems online with minimal security controls so that attackers can easily log in.

RDP is a Microsoft protocol that runs on port 3389 and can be used by users who need remote access to internal systems. In most cases, RDP runs on Windows servers and host services, such as B. Web servers or file servers. In some cases it is also connected to industrial control systems.

RDP ports are often influenced by the Internet, which makes them particularly interesting for attackers. In fact, access to an RDP box can give an attacker access to the entire network, which can usually be used as an entry point for spreading malware or other criminal activities.

Because it can be such a powerful gateway, McAfee Advanced Threat Research (ATR) has noticed the emergence of many underground markets offering DPR certificates at a relatively low price. For example, McAfee ATR discovered access to a major international airport that could be bought for just $10. Since March 2020, the number of open RDP ports has increased significantly.

McAfee Advanced Threat Research and the security industry have long been aware of the risks associated with exposure to PDRs, and will continue to raise awareness as part of our monitoring of global threats.

In this blog we discuss the risks associated with the discovery of the RDP protocol and the misconfiguration associated with it.

ORS statistics

The number of RDP ports connected to the Internet is growing rapidly, from about three million in January 2020 to more than four and a half million in March. A simple search on the sedan shows the number of RDP ports connected to the internet per country.

It is interesting to note that the number of exposures to PDR systems is significantly higher for China and the United States.

Most compromised systems using RDP run on Windows servers, but we have also noticed other operating systems such as Windows 7.

For intruders, remote access to a system may, for example, allow them to commit multiple crimes:

  • Spam distribution : It is very convenient to use a legitimate system to send spam. Some systems are sold specially for this purpose.
  • Malware distribution : A hacked system provides a ready-to-use computer for easy distribution of malware or even for rotation on the intranet. Many authors of blackmail programs use this vector as a target for organizations around the world. Another criminal option would be the implementation of a cryptominar.
  • Use the compromised box as your own: Cybercriminals also use compromised remote systems to cover their tracks, for example, by compiling their tools on the machine.
  • Abuse: A remote system can also be used for other fraudulent activities, such as theft of personal data or collection of personal information.

This recent increase in the number of systems using RDP on the Internet has also had an impact on the underground world. McAfee ATR has seen an increase in both the number of attacks on RDP ports and the volume of RDP money orders sold on the underground market.

Cybercrimes Actively Exploiting RDP to Targeting Remote OrganizationsCybercrimes Actively Exploiting RDP to Targeting Remote Organizations

As already indicated in Shodan, the number of irradiated systems is higher in China (37% of the total) and the United States (37% of the total). It is therefore interesting to note that the number of PDP allocations stolen and offered for sale in the United States (4% of the total) is relatively much lower than in other countries. We believe that this may be due to the fact that the players behind the market sometimes hold RDP certificates without publishing the full list.

How can intruders hack into remote systems?

Weak passwords are always part of the usual sign-up points. Attackers can easily access it through brutal force attacks. In the figure below we see the 20 most commonly used passwords in the RDP. We compiled this list from information about weak passwords that were kindly passed on by a law enforcement agency to the destroyed RDP stores.

The following diagram shows the number of cracked systems that use the 10 most common passwords The most shocking is the large number of vulnerable PDR systems that don’t even have a password.

Cybercrimes Actively Exploiting RDP to Targeting Remote Organizations

The POP protocol also has weaknesses and needs to be corrected. Last year we presented in detail how BlueKeep’s vulnerability affects the reserved channel 31, which is part of the protocol functions that allow remote code execution.

RDP Stands for “Really DO Patch!” – Understanding the Wormable RDP Vulnerability CVE-2019-0708

Early January, other shortcomings in the Remote Desktop Gateway were also solved:

These two vulnerabilities are similar to the BlueKeep vulnerability and make it possible to execute code remotely by sending a specially designed request. We have not yet observed this vulnerability, which is exploited in nature.

The following checklist can be a good starting point for the security of the RDP protocol:

  • Do not allow RDP connections on the open internet.
  • Use complex passwords and multi-factor authentication.
  • Blocking of users and locking or time-out of IP addresses that have too many failed connection attempts
  • Use of the RDP portal
  • Restricting access to the domain administrator account
  • Reduce the number of local directors
  • Use a firewall to restrict access
  • Activation of the restricted administration mode
  • Enable Network Level Authentication (NLA)
  • Make sure the local administrator accounts are unique and restrict users who can login via RDP.
  • Consider an online investment
  • Consider using an account naming convention that does not disclose information about the organization.

For more information on securing access to the RDP, please visit our previous blog (


As mentioned above, RDP remains one of the most widely used penetration vectors in the organization. For cybercriminals, it is a simple solution to quickly carry out malicious activities such as malware, spam and other types of crime.

There is currently a lot of trade in the underground market around the POP, and the current situation has reinforced this behaviour. To remain secure, you must follow best security practices, starting with basic principles such as using strong passwords and fixing vulnerabilities.

McAfee ATR actively monitors threats and keeps you informed through this blog and its social media channels.

x3Cimg height=1 width=1 style=display:no src= />x3C/noscript>’) ;