As a follow-up of our 2018 open Remote Desktop Protocol (RDP) endpoint studies, Awingu research found over 360.000 companies and government organizations in Germany, the UK, Italy, the Netherlands, Belgium and Sweden to have an open access into their network that is unprotected and available over the ‘regular’ internet via RDP. Furthermore, we also found a specific peak (up to 40.000 vulnerable RDP environments) on the public cloud of Microsoft Azure Amsterdam. Even inexperienced hackers can easily navigate their way into these unprotected environments by, for example, using databases of stolen logins or by using one of the many known RDP exploits. Therefore, we urge these companies to add an extra layer of security to their environment ASAP.

The study, and why it’s important

In September 2018, November 2018 and February 2019, a research conducted by Awingu into the security of respectively Belgian, Italian and Swedish companies led to staggering results: over 50.000 open RDP (Remote Desktop Protocol) endpoints were discovered, which left the companies they belonged to with a very real security threat. In January of 2020, we looked at how the situation has changed, and how other European countries (United Kingdom, the Netherlands and Germany) performed on this test.

We performed the in-depth investigation based on publicly available data into what RDP endpoints were accessible publicly in said countries, and we did specific research on IP addresses that were connected to unprotected endpoints with an active RDP (Remote Desktop Protocol) access. These can be servers and PCs.

RDP is one of the most used tools for remote access to desktops and servers in the world. Via the RDP client, an application that needs to be installed on the user’s device (e.g. a laptop), you allow users to access a full desktop or application remotely. Typically, this enables employees to use their software both inside and outside of the company. RDP is a low threshold solution, and the addition of security is sometimes taken for granted: extra security measures (e.g. firewall rules or access control lists) mean added complexity for the IT administrator (and the user).

After analysis based on data made available by a public search engine, Awingu achieved the following spectacular result: over 360.000 RDP endpoints are currently publicly available in our 6 researched countries. This means that these are accessible to everyone via the internet – even if no secure connection, facilitated by the organization, is established. In other words, these are not or insufficiently protected and have an unmistakable potential to be hacked.

Easy targets for hackers

It’s a piece of cake for relatively low-skilled hackers to map the list of RDP endpoints and their IP address to real companies and to compare that list with the many publicly available databases of stolen passwords on the dark web – chances are they’ll get in without much effort. If that doesn’t work, but the RDP endpoint is publicly available, there’s no reason why hackers couldn’t also perform a brute-force attack to try and guess the login details, or, use the many known RDP vulnerabilities (if you’re not running the latest update). Such companies with an open RDP environment are therefore advised to do something about this as quickly as possible. Once a hacker has access, they can execute commands that install ransomware on the system and infect other devices in the same network.

In the last year alone there were more than a few devastating exploits that wreaked havoc across the world, including the not yet fully patched Bluekeep that has done significant damage at the very end of 2019 and the NotPetya virus that costed companies worldwide over $10b and essentially shut rendered Maersk unable to go about any of their activities for a while. In other words: exposing your RDP endpoint for the whole world to see is a major security issue.

The results: bad news

Before performing our test, we were optimistic: surely these worldwide incidents and Microsoft’s continuous effort to limit vulnerabilities will have led people to be more cautious with their infrastructure and will have lowered the amount of open RDP endpoints. However, that was not the case.

Previous study 2020 study
🇧🇪 Belgium
8.803
8.698
🇮🇹 Italy
33.629
32.664
🇸🇪 Sweden
9.655
12.614
🇬🇧 United Kingdom
76.626
🇩🇪 Germany
141.500
🇳🇱 The Netherlands
89.398

Note: these numbers include public cloud infrastructure such as Google Cloud Platform & Microsoft Azure. That means that countries such as the Netherlands, that host a lot of public clouds, have more ‘exposure’. Customers running in these clouds come from other countries as well, which skews the data a little bit – although we cannot measure by how much.

While Belgium and Italy have seen an ever so slight decrease in numbers (respectively 1,2% and 2,8%), Sweden sees an increase of roughly 25% in 11 months. Furthermore, the previously unstudied regions show high numbers, with especially The Netherlands leading the pack when comparing open RDP endpoints to population – with approximately 1,5 times the number of citizens as Belgium, they have ten times the amount of unsecured RDP servers.

As we do not know how many RDP endpoints (including those that follow the correct security procedures) there are in a country, we cannot state which is relatively worst off. However, a meaningful metric to compare the data to is GDP, which will give us at least some metric to compare countries. Doing this exercise brings us to the following result:

Open endpoints GDP (in billion USD)* Endpoints/b GDP
1. 🇳🇱 The Netherlands

    NL (non-Azure)
89.398

51.632
902,36
99,07

57,21
2. 🇩🇪 Germany
141.500
3.863,34
36,63
3. 🇬🇧 United Kingdom
76.626
2.743,59
27,93
4. 🇸🇪 Sweden
12.614
528,93
23,85
5. 🇧🇪 Belgium
8.698
517,61
16,8
6. 🇮🇹 Italy
32.664
1.988,64
16,43

*Source: https://www.imf.org/external/pubs/ft/weo/2019/02/weodata/index.aspx

Compared to the average, Germany is also in a bad spot. However, The Netherlands stick out like a sore thumb. Even when leaving Azure servers (that potentially host the data of non-Dutch companies, as Azure Amsterdam hosts the Western European part of the Azure Geography) out of the mix, we still found 51.632 open endpoints, eliminating the argument that the numbers skyrocket merely due to their public cloud presence. That high number is of course also linked to the high adoption of ‘server-based computing’ (and thus RDP) in the Netherlands – and therefore more data centers, more Windows servers and a culture that favors remote working. Even when leaving the Azure Amsterdam numbers out, we can state with confidence that more companies are impacted per capita in The Netherlands than in all of the other regions.

What do we learn from this?

1. Open RDP endpoints are everywhere

Of the six countries that we have researched, every single one has an abundant amount of open RDP endpoints. We shouldn’t expect it to say 0 (though it should be our goal) but it shows that no country or region escapes the problem.

Because the endpoints are public and mapped to an IP address, we were also able to pinpoint roughly where these companies (or at least their data centers) can be found on a map, as outlined below. Click on the images to get a detailed view!

Belgium
France
United Kingdom
Italy
The Netherlands
Sweden

Overall, we learn from these maps that – unsurprisingly – the concentration of open RDP endpoints is directly related to population density. However, that also implies that it is not region-specific, or bound to, for example, only a certain ISP.

2. The situation is severe, and not improving

As remote working though RDP is gaining in popularity, and (likewise) more companies are enabling it, one should keep a bare minimum of security in mind. However, the spike we see in Sweden shows us an extreme opposite. And while the numbers in Belgium and Italy stay relatively stable, that does not call for a celebration – au contraire. If anything, it shows that there is little to no general knowledge about the dangers these practices entail; if there were, we should record a drastic decrease in open RDP endpoints, not a constant.

Although we cannot compare historical data from our previously unresearched regions (UK, Netherlands, Germany), we are safe to state that the threat is very real in those countries as well. Together, they make up the lion’s share of the discovered public-facing servers.

3. Organizations that lift & shift to public cloud forget security basics

One would expect that the public cloud (such as Microsoft Azure) has a positive impact on the amount of open RDP endpoints – alas, the opposite is true. As is apparent in the Netherlands, where 42% of the open endpoints were found in Azure, it’s definitely not the case that moving towards a public cloud makes you forget your worries. This also leads us to conclude that often companies perform a ‘lift & shift’ towards the public cloud, without accounting for the correct security procedures on neither their on-prem nor public cloud infrastructure.

"The minute people go to cloud, they forget all the security best-practises they use on-prem.” Microsoft Azure is known to host a lot of “lift & shift” workloads, and many IT admins choose the default setting when it comes to RDP: putting everything open. In an on-prem situation, you need to make an effort to make data accessible from the outside, in a public cloud setting you need to make an effort to keep data inaccessible from the outside. That means that a ‘move to the public cloud’ often entails environments that are a lot more open than they should be.”
Steven Dewinter
COO, Awingu

Mitigating security risks with Awingu

Awingu facilitates a solution for this problem with our Unified Workspace. When using it, you connect to the application or desktop via a browser – and no longer via an RDP client. This means that people with bad intentions can no longer exploit the weak points of an unprotected RDP access. To maximize protection through the browser access, Awingu implements the following security measures:

  • Multi-factor authentication: Awingu comes with a built-in MFA solution, and can (if necessary) easily integrate your current method of authentication. By adding MFA you ensure that the ‘brute force attacks’ are no longer possible.
  • SSL without hassle: use your own certificates or switch SSL via the built-in Let’s Encrypt integration with just a single mouse click.
  • Extensive audit possibilities: keep your existing RDP logging tools running alongside the included Awingu audit capabilities
  • Anomaly detection: get informed about irregularities in your environment, such as someone who logs in too often with a wrong password or when someone tries to log in from abroad
  • Add an additional layer: Awingu adds an extra gate that is only accessible over http(s), making it a lot harder for hackers to access your RDP. In essence, it provides yet another door that needs to be ‘unlocked’.

Find out more about Awingu!

About the author
karel
Karel Van Ooteghem
Marketing Manager