Remote Desktop Gateway (RDG), previously known as Terminal Services Gateway, is a Windows Server component that provides routing for Remote Desktop (RDP). Rather then users connecting directly to an RDP Server, users instead connect and authenticate to the gateway. Upon successful authentication, the gateway will forward RDP traffic to an address specified by the user, essentially acting as a proxy. The idea is that only the gateway needs to be exposed to the Internet, leaving all RDP Servers safely behind the firewall.

Overview It has been almost six months since an eye opening vulnerability in Microsoft Windows RDP CVE 2019-0708, dubbed BlueKeep, was patched. Today, Security Researcher Kevin Beaumont posted a Twitter thread reporting BSODs (Blue Screen of Death) across his network of BlueKeep Honeypots. huh, the EternalPot RDP honeypots have all started BSOD’ing recently. They only expose port 3389. pic.twitter.com/VdiKoqAwkr — Kevin Beaumont (@GossiTheDog) November 2, 2019 Kevin kindly shared the crash dump with us and following this lead, we discovered the sample was being used in a mass exploitation attempt.