Hackers Scanning RDP Services Especially Port 1098 For Exploitation


There is a significant surge in scanning activities targeting Remote Desktop Protocol (RDP) services, with a particular focus on port 1098/TCP.

Over the past two weeks, honeypot sensors have detected an alarming increase in these scans, with up to 740,000 distinct source IP addresses daily, including a staggering 405,000 originating from Brazil, Shadowserver Foundation observed.

This aggressive scanning campaign highlights the ongoing threat landscape surrounding RDP services, which have long been a favored target for cybercriminals due to their widespread use and potential vulnerabilities.

2024 MITRE ATT&CK Evaluation Results for SMEs & MSPs -> Download Free Guide

The unusual focus on port 1098, typically associated with other services, suggests that attackers may be exploiting misconfigurations or seeking to bypass traditional security measures.

The timing of this scanning activity is particularly noteworthy, as it follows closely on the heels of Microsoft’s recent Patch Tuesday release.

The December 2024 update addressed multiple critical RDP vulnerabilities, including CVE-2024-49106, CVE-2024-49108, CVE-2024-49115, CVE-2024-49119, CVE-2024-49120, CVE-2024-49123, CVE-2024-49132, CVE-2024-49116, and CVE-2024-49128.

Here’s a table summarizing the CVEs related to Remote Desktop Services vulnerabilities from Microsoft’s December 2024 Patch Tuesday:

CVE Number Severity CVSS Score Description
CVE-2024-49106 Critical 8.1 (High) Remote Code Execution in Windows Remote Desktop Services
CVE-2024-49108 Critical 8.1 (High) Remote Code Execution in Windows Remote Desktop Services
CVE-2024-49115 Critical 8.1 (High) Remote Code Execution in Windows Remote Desktop Services
CVE-2024-49116 Critical Not Specified Remote Code Execution in Windows Remote Desktop Services
CVE-2024-49119 Critical Not Specified Remote Code Execution in Windows Remote Desktop Services
CVE-2024-49120 Critical 8.1 (High) Remote Code Execution in Windows Remote Desktop Services
CVE-2024-49123 High 8.1 Remote Code Execution in Windows Remote Desktop Services
CVE-2024-49128 Critical Not Specified Remote Code Execution in Windows Remote Desktop Services
CVE-2024-49132 High 8.1 Remote Code Execution in Windows Remote Desktop Services

All these vulnerabilities affect Windows Remote Desktop Services and pose significant security risks if left unpatched. Organizations should prioritize applying the latest security updates to mitigate these threats.

If left unpatched, these vulnerabilities could allow attackers to execute remote code on affected systems.

Security experts warn that misconfigured RDP services can give attackers a dangerous foothold into target networks. Beyond gaining unauthorized access to vulnerable hosts, attackers can also gather valuable information about target systems.

The SSL certificates used by RDP often contain the system’s hostname, providing attackers with additional reconnaissance data.

In light of these threats, organizations are strongly advised to take immediate action to secure their RDP services. Key recommendations include:

  1. Limiting unnecessary exposure of RDP services to the internet.
  2. Enabling Multi-Factor Authentication (MFA) for all RDP connections.
  3. Ensuring all systems are promptly patched with the latest security updates.
  4. Implementing strong password policies and account lockout measures.
  5. Network Level Authentication (NLA) is used to add an extra layer of pre-authentication security.

Furthermore, IT security teams are urged to investigate any reports of RDP scanning or exploitation attempts promptly. The source IP addresses involved in these activities may indicate compromised systems being used as part of a larger attack infrastructure.

As remote work continues to be a significant part of many organizations’ operations, securing RDP and other remote access technologies remains critical.

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free



Source link