Earlier this year, Microsoft made another exception to release a security update to Windows XP. This security update addresses the Windows RDP/RDS vulnerability. This vulnerability exists in Microsoft Remote Desktop Services and is highly vulnerable to infection. Security professionals are concerned that the vulnerability will repeat the WannaCry attack two years ago. At the same time, the vulnerability affects Windows XP/Windows 7 Windows Server 2008 R2 and can be spread horizontally using the worm.
The National Security Agency and the Network Security Infrastructure Bureau have issued warnings to remind users to update patches, which shows the potential harm of this security vulnerability.
Researcher Kevin Beaumont is currently monitoring hackers. The purpose of the attacker is not to find a specific infection target, but to use the worm to quickly copy itself from the infected computer to another computer. Computers that are not patched and have Remote Desktop Services (3389) turned on are highly vulnerable. After infection, the worm installs mining software on the computer. At least at this stage, the attacker just wants to install mining software to make money and has not tried to install advanced backdoors on infected computers.
— Kevin Beaumont (@GossiTheDog) November 2, 2019
Because the details of this high-risk vulnerability are not fully disclosed, the attackers are only looking for examples of code released by researchers on the Internet. The sample code released by the researchers is not complete, and the attacker seems to lack sufficient programming skills to cause the attack program to not work properly. This is also the reason why the attacker only installs the mining software on the target computer. If the code works properly, the attacker must have other attacks. The monitoring data shows that there are about 700,000 computers with open ports 3389 exposed on the public network and no holes are fixed. These computers will be extremely risky.