• ESET researchers recommend blocking Remote Desktop Protocol internet connections to avoid future harm by BlueKeep and other exploits
• BlueKeep is a security vulnerability that was discovered in Microsoft’s Remote Desktop Protocol implementation, which allows for the possibility of remote code execution
ESET has just released a free BlueKeep tool to check whether a computer running Windows is safe against exploitation of the vulnerability. Brute-force attacks and the BlueKeep exploit use direct Remote Desktop Protocol (RDP) connections and allow attackers to perform widespread malicious activities misusing the victim’s servers.
“While the BlueKeep vulnerability has not, to date, wreaked widespread havoc, it is still very early in its exploitation life cycle,” explains ESET Distinguished Researcher Aryeh Goretsky. “The fact remains that many systems are still not patched, and a thoroughly wormable version of the exploit might still be found,” he adds.
RDP allows one computer to connect to another over a network in order to use that network remotely. For the past two years, ESET has seen an increasing number of incidents in which attackers have connected remotely to a Windows server from the internet using RDP. Attackers logged on as the computer’s administrator can then perform a variety of malicious actions, including downloading and installing programs onto the server, disabling security software or exfiltrating data from the server. While the exact nature of what attackers may do varies greatly, two of the most common practices are installing coin-mining programs in order to generate cryptocurrency and installing ransomware in order to extort money from the organization.“
Attacks performed with RDP have been slowly, but steadily, increasing, and have been the subject of a number of governmental advisories in the US, UK, Canada and Australia, just to name a few,” says Goretsky. “The arrival of BlueKeep opened floodgates for further attacks. This vulnerability could become wormable, which means an attack could spread itself automatically across networks without any intervention by users,” warns Goretsky.
Microsoft has assigned the BlueKeep vulnerability its highest severity level of Critical in its published guidance for customers, and in the US government’s National Vulnerability Database, the entry for CVE-2019-0708 is scored as 9.8 out of 10.
“Users should stop connecting directly to their servers over the internet using RDP. Understandably, this may be problematic for some businesses. However, with support for both Windows Server 2008 and Windows 7 ending in January 2020, having computers running these programs represents a risk to your business that you should already be planning to mitigate,” recommends Goretsky.
Download BlueKeep (CVE-2019-0708) tool from here