On March 13, 2012, Microsoft disclosed the details of a ‘critical vulnerability’ called Remote Desktop Protocol Vulnerability – CVE-2012-0002 in its bulletin. And even four years after this vulnerability was patched, it is still being exploited in the wild by attackers to carry out ‘Remote Code Execution’ on their victims computers.
Affected Operating Systems:
Reportedly, various exploit framework and public advisories are known to host reliable exploit code for the vulnerability (CVE-2012-0002). This helps even the most novice of hackers to exploit this vulnerability – all they have to do is fingerprint the victim’s machine that is having the RDP port 3389 open.
While handling the ‘maxChannelIds’ field of the ‘ConnectMCSPDU’ request, a ‘use-after-free vulnerability’ is triggered leading to a remote code execution in the RDP server. The complete technical disclosure of this vulnerability can be found here.
IPS Hits Trend
As observed in Quick Heal Labs, below is the trend of the exploitation of this vulnerability over the last four months.
– 11 Nov and 12 Dec 2016 shows a spike in the activity.
Recent Threat Actors
As observed, the machines affected by CVE-2012-0002 were connected to the Internet and had the RDP port 3389 open for outside access. Keeping ports of important services open to external access is an extremely unsafe practice and we strongly recommend against it.
Following are some of the attackers’ IPs that were observed to exploit the vulnerability (CVE-2012-0002).
Most of the above IPs have been blacklisted on various online malicious IP scanners such as www.abuseipdb.com
Quick Heal Detections
Quick Heal has released below the IPS detection for CVE-2012-0002.
Furthermore, many ransomware attacks were carried out using RDP brute force attempts. And to deal with these attacks, the below IPS detections were released recently.
Despite being patched four years ago, the vulnerability (CVE-2012-0002) is still being used by attackers to target unpatched Remote Desktop Service on Windows Operating systems. This only warrants the need for users to keep their OS updated with all the recommended security updates and use a multilayered security software such as Quick Heal.
Subject Matter Expert
– Pradeep Kulkarni (Threat Research & Response Team)
– Swapnil Mahajan (Product Development Team)