Researchers warn millions of RDP and VNC servers are wide open to exploitation

Remote desktop protocol (RDP) threats are now a major blind spot for enterprises globally, with threat actors pouncing on exposed servers.

That's according to Forescout Vedere Labs, which spotted 1.8 million RDP and 1.6 million virtual network computing (VNC) servers exposed on the internet – and many of those are running old versions of Windows.

Forecourt said that third-party access is essential for businesses across many industries, be it for hybrid work or remote monitoring and maintenance.

"This is especially true in critical infrastructure sectors with mission-critical remote sites, including utilities, transportation, and oil and gas," the company said in a blog post.

Remote access has traditionally been managed by VPNs or RDP and VNCs. These approaches were “designed to extend networks”, researchers noted, but not to control interactions, which is increasing attack surfaces.

Indeed, such systems often lack the necessary authentication and authorization controls that organizations require to keep secure – and once inside, attackers gain "broad, persistent" access.

Millions of servers exposed

The researchers used device-search site Shodan to look for RDP and VNC servers, finding millions exposed on the internet, most of which are in China and the US.

However, Forecourt noted that's possibly because some of the spotted systems are actually honeypots, admitting not all of the remainder will provide access to an enterprise network.

"After excluding them, we identified 91,000 exposed RDP servers and 29,000 exposed VNC servers that could be categorized by industry," the researchers noted.

More than four-in-ten exposed RDP servers are running Windows 10, while a further 18% are on end-of-life Windows versions, the researchers noted.

The study found that 19,000 of the exposed RDP servers were vulnerable to a single exploit known as BlueKeep that was discovered seven years ago.

Similarly, many of the exposed VNC servers had authentication disabled, meaning anyone could interact with the applications presented by the device.

The post noted that these exposed remote-access assets are at left "open to compromise by threat actors to perform a range of activities, such as defacing systems, disrupting processes, wiping data, or moving laterally into the wider network."

What's the risk?

When it comes to RDPs, 32% of the exposed servers were in retail, followed by services at 23%. For VNCs, 28% of the exposed servers were in education, followed by 22% in services.

However, Forecourt noted: "Exposure volume alone does not define risk. Different sectors face different operational realities."

Indeed, researchers noted that transportation environments are complex because of multi-vendor access requirements, while manufacturing is an attractive ransomware target and has seen previous RDP-based attacks.

Water and other utilities may have limited budgets and are frequently targeted by hacktivists.

Forescout said that mitigating these risks requires taking a different approach to remote access, treating it as a controlled operational workflow via secure remote access systems for more security and control as well as accountability.

"Access should be governed with the same rigor as procedures on the plant floor," the company added.

FOLLOW US ON SOCIAL MEDIA

Follow ITPro on Google News and add us as a preferred source to keep tabs on all our latest news, analysis, views, and reviews.

You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.