Increased Scanning of RDP Services: Focus on Port 1098
Recent data has revealed a sharp rise in attacks targeting Remote Desktop Protocol (RDP) services, with a specific focus on port 1098/TCP. Over the past two weeks, honeypot sensors have recorded more than 740,000 daily scans from distinct IP addresses. According to Shadowserver Foundation, 405,000 of these scans originated from Brazil.
RDP services have long been a target for hackers due to their widespread use in corporate environments. However, the current attacks on port 1098 are unusual, suggesting that attackers may be exploiting misconfigurations or attempting to bypass standard security measures. This emphasizes the need for heightened vigilance in network monitoring and configuration management.
This activity coincides with the December 2024 Patch Tuesday release by Microsoft. The updates address multiple critical vulnerabilities in RDP services, including those allowing remote code execution (RCE).
Key CVEs Addressed in December 2024
Below is a summary of the RDP-related vulnerabilities fixed by Microsoft:
| CVE Number | Severity | CVSS Score | Description |
|---|---|---|---|
| CVE-2024-49106 | Critical | 8.1 | Remote Code Execution in Windows Remote Desktop Services |
| CVE-2024-49108 | Critical | 8.1 | Remote Code Execution in Windows Remote Desktop Services |
| CVE-2024-49115 | Critical | 8.1 | Remote Code Execution in Windows Remote Desktop Services |
| CVE-2024-49116 | Critical | Not Specified | Remote Code Execution in Windows Remote Desktop Services |
| CVE-2024-49119 | Critical | Not Specified | Remote Code Execution in Windows Remote Desktop Services |
| CVE-2024-49120 | Critical | 8.1 | Remote Code Execution in Windows Remote Desktop Services |
| CVE-2024-49123 | High | 8.1 | Remote Code Execution in Windows Remote Desktop Services |
| CVE-2024-49128 | Critical | Not Specified | Remote Code Execution in Windows Remote Desktop Services |
| CVE-2024-49132 | High | 8.1 | Remote Code Execution in Windows Remote Desktop Services |
Risks of Unpatched Systems
If these vulnerabilities are not addressed, attackers could remotely execute code on affected systems. Exploited RDP services serve as an entry point for hackers, enabling lateral movement, data theft, and ransomware attacks.
Importance of Addressing Misconfigurations
Improperly configured RDP services increase the risk of exploitation. Additionally, attackers can use SSL certificates associated with RDP to gather further information about the system, such as its hostname.
Recommendations for Securing RDP Services
Given the current threat landscape, organizations need to take immediate action. Experts recommend the following measures:
- Restrict Access to RDP Services:
- Ensure RDP access is granted only to essential users and systems.
- Use VPN or other secure solutions to hide RDP services from public networks.
- Enable Multi-Factor Authentication (MFA):
- Require MFA for all RDP connections to add an extra layer of security.
- Apply Security Updates Immediately:
- Install the latest patches, especially those addressing RDP vulnerabilities.
- Enforce Strong Password Policies:
- Implement strict password requirements and account lockout policies.
- Enable Network Level Authentication (NLA):
- Require pre-authentication for RDP connections to enhance security.
- Monitor Scanning Activity:
- Investigate unusual spikes in scanning or exploitation attempts. IP addresses involved in such activities may be part of a larger attack infrastructure.
The rise in remote work has increased reliance on RDP and similar technologies, making them a prime target for cybercriminals. Organizations must strengthen security measures and remain vigilant against evolving threats. Addressing vulnerabilities and securing RDP services is essential not only to mitigate current risks but also to ensure the long-term resilience of corporate networks.
