Cybersecurity

6096 readers

272 users here now

c/cybersecurity is a community centered on the cybersecurity and information security profession. You can come here to discuss news, post something interesting, or just chat with others.

THE RULES

Instance Rules

Be respectful. Everyone should feel welcome here.
No bigotry - including racism, sexism, ableism, homophobia, transphobia, or xenophobia.
No Ads / Spamming.
No pornography.

Community Rules

Idk, keep it semi-professional?
Nothing illegal. We're all ethical here.
Rules will be added/redefined as necessary.

If you ask someone to hack your "friends" socials you're just going to get banned so don't do that.

Learn about hacking

Hack the Box

Try Hack Me

Pico Capture the flag

Other security-related communities [email protected] [email protected] [email protected] [email protected] [email protected]

Notable mention to [email protected]

founded 2 years ago

MODERATORS

kid

[email protected]

New RDP Exploit Allows Attackers to Take Over Windows and Browser Sessions (gbhackers.com)

submitted 12 hours ago by kid to c/cybersecurity

5 comments fedilink hide all child comments

top 5 comments

sorted by: hot top controversial new old

[–] [email protected] 2 points 2 hours ago

The article is a flat lie. It allows attackers to view fragments of an rdp session screen and nothing else like "take over" anything. It's also not remotely new.

[–] [email protected] 8 points 10 hours ago (1 children)

I'm kinda confused. This looks like really old information re-packaged as some sort of "exploit". Examining the RDP cache is an old trick. Here's a video on doing it from six years ago:
https://www.youtube.com/watch?v=NnEOk5-Dstw

The tools for doing this, have been out for a long time. Here's the EnCase tool:
https://marketplace.opentext.com/cybersecurity/content/rdp-cached-bitmap-extractor

Here's an open source parser:
https://github.com/ANSSI-FR/bmc-tools

So, what's new here and how is this allowing "Attackers to Take Over Windows and Browser Sessions" other than, if they are on a system, they can dig through the RDP cache? Which, if they are already on the system which launched the RDP sessions, the horse is long out of the barn. Between credential dumping, keylogging and pass the hash, the attacker probably has as much access as the local user has anyway.

[–] [email protected] 4 points 7 hours ago

Yeah this article is complete garbage. Who upvotes this stuff?

[–] ironhydroxide 1 points 11 hours ago (1 children)

And here my company ONLY allows RDP for Remote connections, claiming it's always safer.

[–] [email protected] 3 points 11 hours ago* (last edited 11 hours ago)

are they behind firewalls or vpn?

If you are using regular Windows rdp, you might suggest your business follow the guidelines to minimize the attack vector. At my work we use RoyalTS and it is the bee's knees. Lots of extra security added in and lots of easy of use.

Disable Persistent Bitmap Caching: RDP clients (such as mstsc.exe) allow users to disable bitmap caching, minimizing the exposure of session data.

Strengthen Network Security: Employ Virtual Private Networks (VPNs) and robust firewalls to secure RDP connections from external threats.

Monitor RDP Sessions: Log and monitor RDP sessions for suspicious activity, including unexpected outgoing connections or file movements.

Restrict Privileges: Implement the principle of least privilege to limit unnecessary RDP usage.

Apply Updates: Regularly update Windows systems and security patches to prevent exploitation of known vulnerabilities.