This graph shows the difference between the attacks on a publicly published RDP server, and one that is not published on port 3389. On the left, we have the report from 1 year ago before deciding to close the port, on the right we have the graph on the same address today. Not shown here: the number of attacks have decreased significantly.
Ref: SingCERT advisory "Kaspersky Report on Compromised RDP Servers - "The xDedic Marketplace"
In essence a number of public facing IP addresses, notably some in Singapore, are on a list for sale in the black market, presumably because their administrator passwords have been compromised through brute force.