RDP 3389 temporarily blocked due to imminent threat to unpatched Windows OS
Posted by Barry Bahrami on 20 November 2014 08:31 PM
We have been following an emerging threat to unpatched Windows OS. Microsoft Secure Channel (Schannel) is a security package that provides SSL and TLS on Microsoft Windows platforms. Due to a flaw in Schannel, a remote attacker could execute arbitrary code on both client and server applications.
We notified subscribers of the threat on November 14 and advised all subscribers to install Windows updates as soon as possible to protect themselves from it. If your Windows OS is up to date (with windows updates) then it is protected from this threat.
Microsoft patches are typically reverse-engineered and exploits developed in a matter of days or weeks. In this case, two proof of concepts that exploit Windows, one by RDP and another thru IIS, have already been created. One was created by a security researcher and we are not sure of the background of the other creator. It is likely that skilled and malicious actors are not far behind.
This attack vector is a prime target for attacks all over the Internet and we believe they are imminent. As of right now, we do not yet have all the signatures required to completely block this threat from subscriber VM’s. Microsoft has been very tight lipped about the specifics and this is slowing development of defensive signatures. Unpatched Windows VM’s remain vulnerable to attack, although there are mitigating factors:
Most subscribers use randomized RDP ports and so the threat is heavily mitigated by that fact alone. We also block IP scanners at our network edge, making the process of identifying targets significantly more difficult – but not impossible.
Subscribers who do not use randomized RDP ports and are running unpatched Windows are most at risk until we are able to deploy filters to prevent the attack from reaching subscriber VM’s.
As a result, we are now blocking RDP TCP/UDP port 3389 from reaching ALL subscriber VM’s until we can safely filter the malicious traffic. This block will temporarily prevent remote desktop access but it will not interfere with running applications.
If you are unable to reach your VM and you do not use randomized RDP ports then please contact CNS Support for assistance. CNS Support will verify your VM is protected from attack and then the block will be lifted for your VM.
We strongly encourage all subscribers who are not using RDP Randomizer or CNS two-factor authentication to install them as soon as possible. Please let our technicians know if you have any questions – we will be happy to assist you.
There are several ways to reach CNS Support:
Please login to your Client Area and click "Help Desk" near the top, then click "Submit a Ticket" to send a new support request to our technicians.
Click “live help” at the top of our control panel or web site. This link will disappear when all slots are in use, so please click refresh if you don’t see it.
Send us a SMS
In the UK: +44 1872 672038
All other regions, worldwide: +1 858 633-8999
Call our helpdesk. Please call the number closest to you:
San Diego, CA: +1 (619) 225-7882
Los Angeles, CA: +1 (213) 769-1787
New York, NY: +1 (646) 930-7435
London, UK: +44 (2035) 191453