An Internet-wide scan carried out by security researchers from Rapid7 has discovered over 11 million devices with 3389/TCP ports left open online, of which over 4.1 million are specifically speaking the RDP protocol.

The number is up from previous scans when researchers found 9 million devices with open 3389 ports in early 2016, then 9.4 million in late 2016, and 7.2 million in early 2017, as part of Rapid7's bi-annual National Exposure Index scans.

This time around researchers fine-tuned their scanners to detect 3389 ports used for actual RDP connections. The improved scan revealed a smaller number of actual RDP ports. However, the number is still quite large.

RDP — a favorite among hackers

RDP, which stands for Remote Desktop Protocol, is a protocol developed by Microsoft to allow users access to a virtual screen, keyboard, and mouse that they can use over a network to control remote computers.

Because of these innate features, RDP has been one of the enterprise world's favorite remote management tools, but also a prime target for hackers for decades.

A Webroot report from March 2017 pins RDP as the favorite method for delivering ransomware, topping spam campaigns.

Since 2002, Microsoft also issued 20 security updates specifically related to RDP, patching 24 separate CVEs (vulnerabilities).

RDP's popularity in criminal ranks became clear in June 2016 when Kaspersky researchers discovered xDedic, an online service that was selling access to nearly 70,000 hacked RDP servers.

83% of scanned RDP devices use a secure authentication method

But there is some good news as well. Because of the improved scanning procedures, researchers were able to get more insight on the types of RDP devices they were scanning.

Of the 4.1 million devices they uncovered clearly communicating via the RDP protocol, Rapid7 researchers say that over 83% were ready to initiate connections and authenticate via a secure connection (CredSSP).

Amazingly, over 83% of the RDP endpoints we identified indicated that they were willing to proceed with CredSSP as the security protocol, implying that the endpoint is willing to use one of the more secure protocols to authenticate and protect the RDP session. A small handful in the few thousand range selected SSL/TLS. Just over 15% indicated that they didn’t support SSL/TLS (despite our also proposing CredSSP…) or that they only supported the legacy “Standard RDP Security”, which is susceptible to man-in-the-middle attacks. Over 80% of exposed endpoints supporting common means for securing RDP sessions is rather impressive.

The human factor is still the main problem behind RDP

However, the usage of an encrypted channel to handle connections does not mean that RDP connections are protected. Most RDP endpoints are compromised because admins enable access without authentication, use easy-to-guess credentials, or don't use a firewall to control access to the RDP machine.

Just by the fact that Rapid7 discovered these 4.1 million devices with open RDP ports means they were not sitting behind a firewall. In the case of a new RDP exploit or zero-day, these devices would automatically become cannon fodder for the next major malware outbreak.

RDP may be a secure protocol, but it's how users deploy and use the protocol that counts. For the time being, the simplest methods to prevent unnecessary exposure of RDP services is to use strong passwords and place the RDP-enabled machine behind a firewall with properly configured ACLs (access control lists).

Below are two charts from Rapid7's scan results showing RDP's geographical and organizational spread.

Exposed RDPs by country

Exposed RDPs by org

Image credits: Chameleon Design, Bleeping Computer