Cybercriminals have been exploiting vulnerabilities in the Remote Desktop Protocol (RDP) to gain unauthorized access to Windows systems and remotely control web browsers.
This method not only compromises individual machines but also poses a significant threat to enterprise networks.
RDP, a Microsoft protocol, enables users to remotely connect to and control Windows systems. While it is a vital tool for IT administrators, its vulnerabilities make it an attractive target for hackers.
Insinuator analysts discovered that the attack typically follows these steps:
Initial Intrusion: Hackers exploit exposed RDP servers, often using brute-force attacks on weak credentials or purchasing access on darknet marketplaces. For example, using default RDP port 3389, attackers can identify vulnerable systems with tools like Nmap:
nmap -sV –script=rdp-vuln-ms12-020 -p 3389
This script checks if the system is vulnerable to known RDP exploits like MS12-020.
Session Hijacking: Once inside, attackers can hijack active RDP sessions or create new ones. Tools like Mimikatz are used to extract credentials from memory:
privilege::debug
ts::mstsc
Lateral Movement: Using native Windows tools such as PsExec and WMI, attackers move laterally across the network to escalate their privileges and compromise additional systems.
Browser Control: By leveraging RDP session artifacts like bitmap caches, attackers can reconstruct user activity, including browser interactions. Tools such as BMC-Tools allow extraction of cached screen fragments:
python bmc-tools.py -s “C:Users
These fragments can reveal sensitive information such as login credentials or URLs accessed by the victim.
Real-World Implications
In one documented case, attackers used RDP to open a private browser tab on a compromised machine and access sensitive login pages.
Reconstructed Browser Activity (Source – Insinuator)
They also deployed malicious files such as svchost.exe into public directories for further exploitation.
Malicious File Deployment (Source – Insinuator)
The key vulnerabilities include unpatched systems, where exploits like BlueKeep (CVE-2019-0708) allow remote code execution without authentication.
Weak credentials further increase risk, as poor password practices make brute-force attacks highly effective. Additionally, default configurations, such as persistent bitmap caching enabled in many RDP clients, leave sensitive session data exposed.
To protect against such attacks, it is crucial to enforce strong passwords and multi-factor authentication for RDP access while restricting access through firewalls or VPNs.
Regular system updates help patch vulnerabilities like CVE-2024-21307, and disabling persistent bitmap caching in RDP settings reduces exposure to data leaks.
Moreover, monitoring network activity for unusual RDP connections using tools like Darktrace or SIEM solutions enhances security and threat detection.
Organizations must proactively secure their remote access protocols to prevent unauthorized access and data breaches.
