UPDATE: BlueKeep Active Exploitation

The Threat

Since October 23, 2019, wide-scale exploitation of BlueKeep (CVE-2019-0708) has been observed in the wild, delivering crypto-currency miners to vulnerable systems; the activity was first discovered by security researcher Kevin Beaumont [1]. Microsoft released security patches for BlueKeep in May 2019. It is highly recommended to install the patches on all vulnerable systems if this action has not been taken already.

What we’re doing about it

• Managed Vulnerability Service (MVS) plugins identify this vulnerability
• esNETWORK rules have been developed based off of publicly available Proof of Concept code
• Known IoCs have been checked against esENDPOINT clients and monitoring is ongoing
• The Threat Intelligence team continues to monitor this topic for additional information

What you should do about it

• Apply the official Microsoft security updates to affected systems [2]
  • It is highly recommended to update both externally facing systems and internal systems to mitigate the risks of accidental exposure
• If RDP is not actively required, consider disabling the service or limiting access [3]

Additional information

CVE-2019-0708 is a critical vulnerability affecting Microsoft Remote Desktop Protocol (RDP). If exploited, a remote and unauthenticated attacker can execute arbitrary code on vulnerable systems or cause a denial of service. This vulnerability is especially concerning as user interaction is not required and it is wormable; meaning that a determined threat actor could create a self-propagating exploit. However, at this time, no worms employing CVE-2019-0708 have been identified in the wild.

For additional technical details, see the blogpost BlueKeep (CVE 2019-0708) exploitation spotted in the wild, by Marcus Hutchins [4].

Affected Windows Versions still supported by Microsoft:

• Windows 7
• Windows Server 2008 R2 (various versions)
• Windows Server 2008 (various versions)

Affected Windows Versions no-longer supported by Microsoft:

• Windows XP (various versions)
• Windows Server 2003 (various versions)

References

[1] https://doublepulsar.com/bluekeep-exploitation-activity-seen-in-the-wild-bd6ee6e599a6

[2] https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708

[3] https://www.nsa.gov/News-Features/News-Stories/Article-View/Article/1865726/nsa-cybersecurity-advisory-patch-remote-desktop-services-on-legacy-versions-of/

[4] https://www.kryptoslogic.com/blog/2019/11/bluekeep-cve-2019-0708-exploitation-spotted-in-the-wild/?source=post_page-----bd6ee6e599a6----------------------