Several RDP attacks

Solved
DanIsTaken
Here to help

Several RDP attacks

One of my networks has received multiple attacks of the kind ID 1-49040 and the wording "compromised windows computer located behind a Firewall" and "It will require already access to a compromised computer inside the target network" makes me think  this attacker is already inside my network wich bothers me quite a bit.

 

Any advice on this?

 

Microsoft Windows Terminal server RDP over non-standard port attempt

1 Accepted Solution
BrechtSchamp
Kind of a big deal

1:1 NAT is similar to port forwarding from a technical standpoint. Like @jdsilva  said, it's sufficient for someone to try RDP-ing to a random port on which you have a service running to trigger an event like this.

 

Generally speaking you should limit access to the 1:1 NATed IP-address(es) using the firewall. But even then, you can't avoid people trying to hack systems so security events will come up. That's not bad, at least that way you know and the firewall is doing its job blocking the attempts.

View solution in original post

9 Replies 9
BrandonS
Kind of a big deal

Do you have any ports opened inbound? 

 

Under threat protection are you set to detect or prevent?

 

It is not uncommon to see messages about attacks like this, but you would need to have RDP open to the public Internet for someone to compromise you.

- Ex community all-star (⌐⊙_⊙)
DanIsTaken
Here to help

Threat protection is set to prevention

 

Nash
Kind of a big deal

If I understand correctly, this is an external attacker trying to open an RDP connection over a non-standard port. It relies upon you having allowed Internet traffic to a Windows machine, such as through port forwarding or NATting.

 

If you've got RDP enabled on a public-facing device, you should disable that right now, in my opinion. Find another way to remotely manage that device.

 

Lot of folks think RDP on a non-standard port is "safe" and uh... no. This is why it's not.

jdsilva
Kind of a big deal

This rule can also be triggered if someone is attempting to exploit RDP, over a non-standard port, even if the service listening on that port is not RDP. I have a port 45454 forwarded on an MX to a service that is not RDP (but is TCP) and it fairly regularly is triggering this non-standard RDP port rule. This is almost certainly people just scanning large swathes of IP's and trying RDP exploits on every open port they find. 

DanIsTaken
Here to help

I actually have no ports forwarded only NAT1:1 but I still get these attacks.
My concern is that my network could have been compromised. There is also an URL I do not recognize doing ICMP to my other devices.

BTW I'm a novice and learning
BlakeRichardson
Kind of a big deal
Kind of a big deal

As a precaution maybe block outbound RDP traffic. Does the report you are getting point to a specific client device?

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
DanIsTaken
Here to help

Yes, to the storage devices for the security cameras

SoCalRacer
Kind of a big deal

Might want to set the ruleset to security setting while you are learning and tracking this down. Also if out of country threat you might try blocking all traffic by that country. Temporarily IP block might be good too.

BrechtSchamp
Kind of a big deal

1:1 NAT is similar to port forwarding from a technical standpoint. Like @jdsilva  said, it's sufficient for someone to try RDP-ing to a random port on which you have a service running to trigger an event like this.

 

Generally speaking you should limit access to the 1:1 NATed IP-address(es) using the firewall. But even then, you can't avoid people trying to hack systems so security events will come up. That's not bad, at least that way you know and the firewall is doing its job blocking the attempts.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels