Sunday, February 9, 2025
HomeMalwareRCE Bug in Microsoft RDP Protocol Let Hackers Perform WannaCry Level Attack...

RCE Bug in Microsoft RDP Protocol Let Hackers Perform WannaCry Level Attack on 3 Million Vulnerable Endpoints

Published on

SIEM as a Service

Follow Us on Google News

A critical remote execution vulnerability in Microsoft remote desktop services enables RDP Protocol let attackers compromise the vulnerable system with WannaCry-level malware.

Microsoft recently fixed this RCE vulnerability in Remote Desktop Services – formerly known as Terminal Services, and it’s affected some of the old versions of Windows.

A WannaCry attack was one of the most notorious cyber-attacks of this decade, and it shut down millions of computers around the world by exploiting the vulnerability in the RDP protocol.

In this case, Remote Desktop Protocol (RDP) itself is not vulnerable, but attackers need to perform pre-authentication, and it doesn’t require user interaction.

This vulnerability didn’t have any exploit at this time, but in the future, an attacker will create malware that exploits this vulnerability in a similar way of WannaCry attack.

Vulnerable in-support systems include Windows 7, Windows Server 2008 R2, and Windows Server 2008 and also out-of-support versions Windows 2003 and Windows XP.

3 Million Endpoints are Vulnerable to This RCE Bug

Initially, an unauthenticated attacker will send the specially crafted malicious request to the vulnerable systems after they establish a connection through RDP.

According to Microsoft, This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

An Independent researcher Kevin Beaumont said, based on the Shodan search engine, around 3 million RDP endpoints are directly exposed to the internet.

https://twitter.com/GossiTheDog/status/1128348383704485895

“There is partial mitigation on affected systems that have Network Level Authentication (NLA) enabled.

The affected systems are mitigated against â€˜wormable’ malware or advanced malware threats that could exploit the vulnerability, as NLA requires authentication before the vulnerability can be triggered.” Microsoft said.

According to Simon Pope, Director of Incident Response, Microsoft Security Response Center (MSRC), “Customers running Windows 8 and Windows 10 are not affected by this vulnerability”.

You can follow us on LinkedinTwitter, and Facebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep yourself self-updated.

Also Read:

AZORult Malware Abusing RDP Protocol To Steal the Data by Establish a Remote Desktop Connection

Hackers Launching Trickbot Malware That Steals VNC, PuTTY, and RDP Credentials

RDP Attack – Multiple Critical Vulnerabilities that Allow Attackers To Reverse the Communication

Cybercrime as a Service – Hackers Selling Ransomware, RDP Logins, and Credit Card Details on the Underground Markets

Hackers Conducting RDP Attacks Using New Technique to Bypass Protections

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

UK Pressures Apple to Create Global Backdoor To Spy on Encrypted iCloud Access

United Kingdom has reportedly ordered Apple to create a backdoor allowing access to all...

Autonomous LLMs Reshaping Pen Testing: Real-World AD Breaches and the Future of Cybersecurity

Large Language Models (LLMs) are transforming penetration testing (pen testing), leveraging their advanced reasoning...

Securing GAI-Driven Semantic Communications: A Novel Defense Against Backdoor Attacks

Semantic communication systems, powered by Generative AI (GAI), are transforming the way information is...

Cybercriminals Target IIS Servers to Spread BadIIS Malware

A recent wave of cyberattacks has revealed the exploitation of Microsoft Internet Information Services...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

Cybercriminals Target IIS Servers to Spread BadIIS Malware

A recent wave of cyberattacks has revealed the exploitation of Microsoft Internet Information Services...

Hackers Leveraging Image & Video Attachments to Deliver Malware

Cybercriminals are increasingly exploiting image and video files to deliver malware, leveraging advanced techniques...

Ghidra 11.3 Released – A Major Update to NSA’s Open-Source Tool

The National Security Agency (NSA) has officially released Ghidra 11.3, the latest iteration of...