Rapid7 report millions of endpoints exposed via SMB, Telnet Ports

A study conducted by the security firm Rapid7 revealed that millions of devices remain exposed to cyber attacks via  SMB, Telnet, RDP, and other types of improper configurations.

Rapid7 published the second report National Exposure Index that provides Internet service providers (ISPs) worldwide information about the global exposure of devices.

The researchers scanned the Internet for improperly configured services, such as the recently exploited Server Message Block (SMB) and Telnet that were respectively targeted in the WannaCry attack and attacks based on IoT botnets (i.e. Mirai, Persirai).

The experts counted 5.5 million machines with SMB port exposed, the data is alarming considering that prior May 2017, when WannaCry spread, the number of exposed devices was 4.7 million.

According to Rapid7, 800,000 of endpoints exposing Microsoft file-sharing services (SMB, TCP port 445) are Windows systems.

“Over 1 million endpoints were confirmed exposing Microsoft file-sharing services (SMB, TCP port 445), with 800,000 of them being confirmed Windows systems, spanning virtually the entire product and release version lineage of the company.” states the report. ““This made for a target-rich environment for WannaCry, a “ransomworm” that spreads in part through an SMB exploit made public in May of 2017. This vulnerability was also actively sought out in May 2017, with SMB port scan results increasing by 17% (4.7 million to 5.5 million nodes). Blocking port 445 would mitigate potential threats like this”

The analysis of devices with exposed telnet (port 23) revealed roughly 10 million devices exposed to attacks. In this case, the number of exposed devices is decreased from the 14.8 million exposed devices discovered last year, anyway the situation is still alarming.

“Port scanning for telnet (port 23) in 2017 returned just under 10 million responsive nodes, compared to 2016’s scan results of over 14.8 million. This 33% drop in apparent telnet services can almost certainly be pinned to two developments: 1) ISP

1) ISP actions, such as closing port 23 in response to the Mirai botnet, and 2) Mirai, BrickerBot, and other botnets knocking nodes offline.“” continues the report.

The drop is likely caused by the action of ISPs that started closing port 23 following the botnet attacks.

The researchers highlighted that other services exposed to the Internet cpild be exploited by hackers, including FTP (port 21), RDP (port 3389), PPTP (port 1723), rpcbind (port 111), MySQL (port 3306).

Rapid7’s estimated that over 90 million endpoints running these inappropriate services are exposed on the Internet.

Zimbabwe, Hong Kong SAR, Samoa, Republic of the Congo, Tajikistan, Romania, Ireland, Lithuania, Australia, and Estonia are the most exposed countries.

“The most exposed regions are Zimbabwe, Hong Kong SAR , Samoa, Republic of the Congo, Tajikistan, Romania, Ireland, Lithuania, Australia, and Estonia. No discussion of national exposure would be complete without reference to the three major cyber superpowers: the United States, China, and the Russian Federation. While both the Russian Federation and China are among the top 50 most exposed nations, the U.S. has relatively low exposure in relation to its enormous IPv4 address space” states the report.

Experts at Rapid7 scan 30 service ports and also analyzed the exposure to two “canary” TCP ports, port 5 and port 61439. The experts discovered 3.2 million devices exposing services on these two ports, and more than 2.3 million IPs located in 133 countries exposed both ports at the same time.

The study also revealed many services that aren’t encrypted, such as HTTP.

Give a look at the report, it is full of interesting data on the global exposure

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs –  SMB, Internet)

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

EvilVideo, a Telegram Android zero-day allowed sending malicious APKs disguised as videos

EvilVideo is a zero-day in the Telegram App for Android that allowed attackers to send…

4 hours ago

SocGholish malware used to spread AsyncRAT malware

The JavaScript downloader SocGholish (aka FakeUpdates) is being used to deliver the AsyncRAT and the…

14 hours ago

UK police arrested a 17-year-old linked to the Scattered Spider gang

Law enforcement arrested a 17-year-old boy from Walsall, U.K., for suspected involvement in the Scattered…

19 hours ago

Security Affairs Malware Newsletter – Round 3

Security Affairs Malware newsletter includes a collection of the best articles and research on malware…

2 days ago

Security Affairs newsletter Round 481 by Pierluigi Paganini – INTERNATIONAL EDITION

A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles…

2 days ago

U.S. CISA adds Adobe Commerce and Magento, SolarWinds Serv-U, and VMware vCenter Server bugs to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Adobe Commerce and Magento, SolarWinds Serv-U, and…

2 days ago

This website uses cookies.