Wednesday, February 19, 2025
HomeBrowserNew RDP Exploit Allows Attackers to Take Over Windows and Browser Sessions

New RDP Exploit Allows Attackers to Take Over Windows and Browser Sessions

Published on

SIEM as a Service

Follow Us on Google News

Cybersecurity experts have uncovered a new exploit leveraging the widely used Remote Desktop Protocol (RDP).

This vulnerability enables attackers to gain unauthorized control over Windows systems and hijack browser activity, posing a significant threat to individual and enterprise data security.

Details of the Exploit

The exploit arises from the improper handling and storage of RDP bitmap cache files, which are designed to enhance performance during remote desktop sessions.

These files store fragments of on-screen activity, such as graphical elements and screen data, on the client’s local machine.

While intended for performance optimization, malicious actors have now weaponized this feature to gain unprecedented insights into active Windows sessions and web browsing activities

.By analyzing bitmap cache files stored on the initiating machine, attackers can reconstruct portions of the remote session’s screen.

Persistent bitmap caching is enabled by default in mstsc.exe
Persistent bitmap caching is enabled by default in mstsc.exe

Persistent bitmap caching is enabled by default in mstsc.exe

This includes opened applications, executed commands, private browser sessions, and sensitive user activities like accessing login pages or downloading files.

With additional tools, such as BMC-Tools (developed by France’s cybersecurity agency ANSSI) and RdpCacheStitcher, attackers can piece together the graphical fragments into actionable intelligence.

Researchers who explored this exploit compared it to virtually “looking over the shoulder” of the target user. In one real-world example, attackers successfully reconstructed RDP session frames to view:

  • Terminal commands executed by the user, such as certutil.exe used to download malicious scripts.
  • Private browser sessions, including login pages and sensitive credentials.
  • File system activities, such as copying files like “svchost.exe” to local directories.

This level of insight not only compromises user privacy but also provides attackers with detailed information to escalate their privileges and deepen their foothold within compromised networks.

How the Exploit Works

The exploit hinges on the functionality of RDP bitmap cache files, which persist across multiple sessions.

These files are stored locally on the client machine and contain cached graphical elements transferred during screen rendering. For instance, cache files like Cache0000.bin on Windows systems store 64×64-pixel bitmap fragments in a fixed format.

By extracting and collating these fragments, attackers can infer user activities, such as opened applications, commands executed in terminal windows, and websites accessed via browsers. The exploitation tools work as follows:

  1. Bitmap Extraction: Tools like BMC-Tools extract persistent graphical fragments from cache files.
  2. Session Reconstruction: Software such as RdpCacheStitcher reassembles the fragments into partial or complete reconstructions of the user’s screen during the remote session.
Partially-reconstructed RDP session frame in RdpCacheStitcher
Partially-reconstructed RDP session frame in RdpCacheStitcher

Potential Targets and Impact

The exploit is particularly dangerous for organizations. Administrators using RDP to manage multiple machines create an extensive web of sensitive connections, all of which may be vulnerable if an attacker gains access to the initiating machine.

Further outgoing RDP connections
Further outgoing RDP connections

In one incident, attackers used this exploit to target service providers remotely managing client systems, spreading malware and exfiltrating sensitive credentials.

While ordinary users are also at risk, the highest impact is seen in enterprise environments where RDP is essential for IT operations.

Malicious actors can use the reconstructed data to conduct phishing attacks, spread ransomware, or simply monitor sensitive activities untraceable.

To mitigate the risks posed by this exploit, cybersecurity experts recommend the following measures:

  1. Disable Persistent Bitmap Caching: RDP clients (such as mstsc.exe) allow users to disable bitmap caching, minimizing the exposure of session data.
  2. Strengthen Network Security: Employ Virtual Private Networks (VPNs) and robust firewalls to secure RDP connections from external threats.
  3. Monitor RDP Sessions: Log and monitor RDP sessions for suspicious activity, including unexpected outgoing connections or file movements.
  4. Restrict Privileges: Implement the principle of least privilege to limit unnecessary RDP usage.
  5. Apply Updates: Regularly update Windows systems and security patches to prevent exploitation of known vulnerabilities.

According to the Insinuator blogs, the discovery of this exploit underscores the dual-edged nature of convenience-centric technologies like RDP.

While essential for remote access and network management, their misuse can create significant security vulnerabilities.

This incident also highlights the importance of forensic tools in identifying and mitigating emerging threats.

As organizations increasingly pivot towards remote and hybrid working models, securing RDP connections must remain a top priority. Experts warn that failure to address these vulnerabilities promptly could exacerbate the damage from future cyberattacks.

Collect Threat Intelligence with TI Lookup to improve your company’s security - Get 50 Free Request


Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

CISA Warns of Active Exploitation of SonicWall SonicOS RCE Vulnerability

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent alert regarding...

CISA Issues Warning on Palo Alto PAN-OS Security Flaw Under Attack

CISA and Palo Alto Networks are scrambling to contain widespread exploitation of a critical...

Surge in IRS and Tax-Themed Cyber Attacks Driven by Fresh Domain Registrations

The months of January through April, marking the U.S. tax season, have seen a...

Critical Flaw in Apache Ignite (CVE-2024-52577) Allows Attackers to Execute Code Remotely

A severe security vulnerability (CVE-2024-52577) in Apache Ignite, the open-source distributed database and computing...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

CISA Warns of Active Exploitation of SonicWall SonicOS RCE Vulnerability

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent alert regarding...

CISA Issues Warning on Palo Alto PAN-OS Security Flaw Under Attack

CISA and Palo Alto Networks are scrambling to contain widespread exploitation of a critical...

Surge in IRS and Tax-Themed Cyber Attacks Driven by Fresh Domain Registrations

The months of January through April, marking the U.S. tax season, have seen a...