I have noticed a surge in probe against the RDP service in the past 2 weeks. In August, a remote code execution (RCE) critical patch was released to fix an exploit related to CVE-2021-34535 which include a POC to exploit this vulnerability. This vulnerability is also affecting Microsoft Hyper-V Manager “Enhanced Session Mode”  and Microsoft Defender’s Application Guard (WDAG) .
According to Shodan , there are over 4.89M IPs with TCP:3389 listening and over 3.9M IPs with RDP listening on other ports but mainly on 3388 . Beside TCP:3389, my honeypot logged mstshash probe against other port such as 21, 23, 80, 8000, 8080.
20211018-022140: 192.168.25.9:3389-126.96.36.199:5616 data
[2021-10-30 08:42:54]  [ftp_21_tcp 16145] [188.8.131.52:65158] recv: …/*……Cookie: mstshash=Administr
Top 10 Usernames
Top 10 Sources
If using RDP, Microsoft provided the following information on “Security guidance for remote desktop adoption“.
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Source: Read More (SANS Internet Storm Center, InfoCON: green)