Hello, welcome to the Monday, November 1st, 2021 edition of the Sansonet Storm Center's

Stormcast. My name is Johannes Orich, and today I'm recording from Jacksonville, Florida.

This weekend, we got a post from Guy discussing some of the scans that he's seeing for RDP against his honeypot.

Note that not just the default port is being scanned, 3389, but other ports are being scanned as well.

According to Shodan, there are about 4.9 million IPs that have 3389 exposed and another 4 million

roughly that have RDP listening on other ports, but mainly that's just changing it by one,

so 3388. Among the users being attempted here, Ncrack kind of sticks out.

That's, of course, a tool that comes with NMAP.

I think looking at the list of users that one of the main things here is that they're actually looking if RDP is exposed.

If I know Gies Honeypot correctly, it actually doesn't have an RDP server listening there.

So that's why we may not actually see then the Prude Force attempts that are likely going to follow.

Remember, RDP, it's so often exposed, but it's also very often an entry point for ransomware.

It's really one of the protocols that you need to get a handle on and need to block

random access to exposed RDP servers or, well, not expose them at all if you can.

So only access from legitimate administrator IP address should be granted,

and if you're working from home, you may still be able to limit it, like, to your ISP

or such, if you have a dynamic IP address.

And we also got an update for Sysmon and Auto Runs, mostly fixing bugs and certain crash

conditions.

Don't really see any significant new features there.

Also, remember with Windows 11 now being out for a couple of weeks, many of these tools,

I think power utilities, for example, have been updated for Windows 11 now.

...