United States: Cyberattacks Directed At 33,0000 Microsoft Remote Desktop Protocol Servers (RDP)!

Netscout researchers have identified about 33,000 vulnerable Microsoft RDP servers that could be abused by threat actors to boost their DDoS attacks. RDP is a proprietary Microsoft communications protocol that system administrators and employees use to remotely connect to corporate systems and services.

Microsoft RDP can be configured by Windows systems administrators to run on TCP port 3389 or UDP port 3389, according to the report.

The researchers found that when the Microsoft RDP service is configured to UDP port 3389, attacks could amplify network packets from vulnerable ports and redirect that traffic to targeted IP addresses, increasing the size of a DDoS attack at little cost, according to the report.

In some cases, the Netscout researchers found an amplification ratio of 85.9:1, which means that for every 10 gigabytes per second of requests directed at an RDP server, the threat actors could redirect 860 gigabytes per second of network traffic at the targeted IP address as part of the DDoS attack, the report notes.

"Observed attack sizes range from ~20 Gbps - ~750 Gbps," according to the Netscout report. "As is routinely the case with newer DDoS attack vectors, it appears that after an initial period of employment by advanced attackers with access to bespoke DDoS attack infrastructure, RDP reflection/amplification has been weaponized and added to the arsenals of so-called booter/stresser DDoS-for-hire services, placing it within the reach of the general attacker population."