Hello and welcome to the Wednesday, April 8, 2020 edition of the Santernut Storms anders Stormcast.

My name is Johannes Ulrich.

And then I'm recording from Jacksonville, Florida.

I looked a little bit closer at RDP scanning traffic last week and summarized some of what I found in a post today.

And what is this really about is that Shodan reported an increase in exposed RDP servers.

Now, they had to reduce the number a bit, turn actually out, interestingly, and that may be

worth another sort of post that the increase

was more due to IPV6 than IPV4. So after they compared apples to apples and stuck with IPV4,

they still saw an increase was just not as pronounced as before of exposed RDP servers.

And, well, I talked about this a little bit last week when Shodan first reported it. It's probably due to administrators now having to work

from home, needing to quickly expose systems so they can be remote administered. So what I took a look at is to see whether or not the bad guys are sort of following that trend.

And this was a little bit difficult actually, well, in part because RDP port 3389 is one of the top port sort of consistently, so it's somewhat saturated already.

But what I saw was that attackers are actually dedicating more resources to scanning for

RDP. Typically, we have about 2,600 source IPs scanning for port 3389 each day.

Well, in March, that number went up to 3,540, so that's quite a significant increase.

About sort of 20, 30%, percent here that we have an increase.

So what this really means is do not expose RDP servers.

Attackers are actively looking for them.

They will find these RDP servers.

The number one attack that typically you'll see against an exposed RTP server is password brute forcing.

So if you have to expose an RDP server, then make absolutely sure that you use unique,

hard-to-guess passwords, even better two-factor authentication, but you need RTP gateway for that

...