Last Updated: 2018-12-16 23:59:40 UTC
by Guy Bruneau (Version: 1)
Over the past several months I have been observing random Remote Desktop Protocol (RDP) activity targeting my honeypot. Back in September, US-Cert  issued an alert regarding RDP being actively used and exploited by malicious actors released by the FBI .
The default Windows service port for RDP is TCP 3389 and the activity against this service can easily be identified in the packets with "Cookie: mstshash=".
It the past 6 weeks I have observed this activity on its default port including multiples other ports from various sources, testing access using mainly two username (i.e. hello, Administr).
Obviously this service should not be exposed directly to Internet and if used should be secured appropriately with a strong password and should be monitored for unusual activity. More information is available here to further protect against RDP-based attacks.
If you have more information or corrections regarding our diary, please share.