Meraki

Community

Several RDP attacks

Solved
DanIsTaken
Here to help
‎Aug 19 2019 1:49 PM
‎Aug 19 2019 1:49 PM

Several RDP attacks

One of my networks has received multiple attacks of the kind ID 1-49040 and the wording "compromised windows computer located behind a Firewall" and "It will require already access to a compromised computer inside the target network" makes me think  this attacker is already inside my network wich bothers me quite a bit.

 

Any advice on this?

 

Microsoft Windows Terminal server RDP over non-standard port attempt

1 Accepted Solution
In response to DanIsTaken
BrechtSchamp
Kind of a big deal
‎Aug 20 2019 6:45 AM
‎Aug 20 2019 6:45 AM

1:1 NAT is similar to port forwarding from a technical standpoint. Like @jdsilva  said, it's sufficient for someone to try RDP-ing to a random port on which you have a service running to trigger an event like this.

 

Generally speaking you should limit access to the 1:1 NATed IP-address(es) using the firewall. But even then, you can't avoid people trying to hack systems so security events will come up. That's not bad, at least that way you know and the firewall is doing its job blocking the attempts.

View solution in original post

9 Replies 9
BrandonS
Kind of a big deal
‎Aug 19 2019 1:56 PM
‎Aug 19 2019 1:56 PM

Do you have any ports opened inbound? 

 

Under threat protection are you set to detect or prevent?

 

It is not uncommon to see messages about attacks like this, but you would need to have RDP open to the public Internet for someone to compromise you.

- Ex community all-star (⌐⊙_⊙)
In response to BrandonS
DanIsTaken
Here to help
‎Aug 19 2019 2:09 PM
‎Aug 19 2019 2:09 PM

Threat protection is set to prevention

 

Nash
Kind of a big deal
‎Aug 19 2019 2:01 PM
‎Aug 19 2019 2:01 PM

If I understand correctly, this is an external attacker trying to open an RDP connection over a non-standard port. It relies upon you having allowed Internet traffic to a Windows machine, such as through port forwarding or NATting.

 

If you've got RDP enabled on a public-facing device, you should disable that right now, in my opinion. Find another way to remotely manage that device.

 

Lot of folks think RDP on a non-standard port is "safe" and uh... no. This is why it's not.

Windows 10 Client VPN scripts: Makes life better!
In response to Nash
jdsilva
Kind of a big deal
‎Aug 19 2019 3:17 PM
‎Aug 19 2019 3:17 PM

This rule can also be triggered if someone is attempting to exploit RDP, over a non-standard port, even if the service listening on that port is not RDP. I have a port 45454 forwarded on an MX to a service that is not RDP (but is TCP) and it fairly regularly is triggering this non-standard RDP port rule. This is almost certainly people just scanning large swathes of IP's and trying RDP exploits on every open port they find. 

http://blog.brokennetwork.ca | @jdsilva
In response to jdsilva
DanIsTaken
Here to help
‎Aug 19 2019 4:23 PM
‎Aug 19 2019 4:23 PM

I actually have no ports forwarded only NAT1:1 but I still get these attacks.
My concern is that my network could have been compromised. There is also an URL I do not recognize doing ICMP to my other devices.

BTW I'm a novice and learning
0 Kudos
In response to DanIsTaken
BlakeRichardson
Kind of a big deal
Kind of a big deal
‎Aug 19 2019 4:53 PM
‎Aug 19 2019 4:53 PM

As a precaution maybe block outbound RDP traffic. Does the report you are getting point to a specific client device?

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
0 Kudos
In response to BlakeRichardson
DanIsTaken
Here to help
‎Aug 20 2019 4:21 PM
‎Aug 20 2019 4:21 PM

Yes, to the storage devices for the security cameras

0 Kudos
In response to DanIsTaken
SoCalRacer
Kind of a big deal
‎Aug 19 2019 8:56 PM
‎Aug 19 2019 8:56 PM

Might want to set the ruleset to security setting while you are learning and tracking this down. Also if out of country threat you might try blocking all traffic by that country. Temporarily IP block might be good too.

0 Kudos
In response to DanIsTaken
BrechtSchamp
Kind of a big deal
‎Aug 20 2019 6:45 AM
‎Aug 20 2019 6:45 AM

1:1 NAT is similar to port forwarding from a technical standpoint. Like @jdsilva  said, it's sufficient for someone to try RDP-ing to a random port on which you have a service running to trigger an event like this.

 

Generally speaking you should limit access to the 1:1 NATed IP-address(es) using the firewall. But even then, you can't avoid people trying to hack systems so security events will come up. That's not bad, at least that way you know and the firewall is doing its job blocking the attempts.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.