Don’t Worry Honda…You’re Not Alone.
There More than 4.6M Globally Misconfigured and Exposed Remote Desktop Protocols

The cyber-attack this week against Honda is anything but sophisticated. Honda misconfigured an instance of Remote Desktop Protocol (RDP) which exposed the remote access to the public on several machines. Unfortunately, this threat is widespread and not unique to Honda. At present, there are over 4.6 million publicly accessible RDP-enabled devices operating around the world. There are over 1.3 million in the United States alone.

MISCONFIGURED_REMOTE_PROTOCOLS

Over 330,000 of these exposed RDP services are vulnerable to CVE-2019-0708 (BLUEKEEP) which is a remote code execution vulnerability existent in RDP services. This vulnerability impacts Microsoft Windows 7, Server 2003, Server 2008, Windows Vista, and Windows XP.

This specific vulnerability has two exploits which make it especially troublesome for corporations that have this vulnerability present; it is very easy for cyber adversaries to compromise a network.

Two weeks ago, in our weekly newsletter, we indicated that this specific vulnerability was being discussed across the dark web with increased chatter by hackers. In our May 28th and June 2nd newsletter – Attack Surface Attribution Intelligence – we highlighted that over 30 nation state threat actors leverage the software weaknesses in exposed RDP services to gain access and escalate privileges.

In researching this vulnerability, we have found that it most often is chained with two additional vulnerabilities: CVE-2020-13485 and CVE-2020-0796.

APTs_CHATTER_MISCONFIGURED_PROTOCOLS