One Step Closer to BlueKeep Exploit

Delaware, USA ā€“ July 25, 2019 ā€“ After a nearly two-month lull, there has been significant progress in creating a working exploit for BlueKeep flaw (CVE-2019-0708) due to the publication of a detailed technical analysis of the critical vulnerability and incomplete PoC exploit to attack WinXP systems. We recall that this ā€˜wormableā€™ vulnerability allows cybercriminals to attack Remote Desktop Services on Windows XP through to Server 2008 to run kernel-level code without authentication and get full control over the system. Microsoft released an update for this critical vulnerability in May and warned that its exploitation could lead to a WannaCry-like outbreak. The researchers managed to create several working PoC exploits (1,2), but for security reasons, they did not make them publicly available. Now, after the publication of information about the most difficult part of the code, we are weeks, if not days, from the appearance of a working exploit, according to security researcher Marcus Hutchins. The owner of the repository warns that this information is already known to the Chinese hacker community, and attackers are actively working to create working code.

Perhaps, in connection with the possible appearance of BlueKeep exploit, the authors of Watchbog cryptocurrency mining malware added a modified scanner for CVE-2019-0708 vulnerability developed by Sean Dillon (https://github.com/zerosum0x0/CVE-2019-0708). Watchbog attacks Linux servers exploiting vulnerabilities in Jira, Exim, Nexus Repository Manager 3, ThinkPHP, and Solr Linux. After infecting the system, the scanner checks the list of IP addresses received from the C&C server and sends back the scan results. It is not yet known whether the authors of the malware plan to expand the capabilities of Watchbog or sell a list of vulnerable systems on underground forums.

If you have not installed the necessary updates, now is the time to do it. You can also read the detailed blog post to learn more about creating proactive content that detects attempts to exploit BlueKeep flaw: https://socprime.com/en/blog/proactive-detection-content-cve-2019-0708-vs-attck-sigma-elastic-and-arcsight/

Links to free detection content
Sigma by Markus Neis https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_susp_rdp.yml
Sigma by Roman Ranskyi https://tdm.socprime.com/tdm/info/2159/
ArcSight .ARB rule pack https://tdm.socprime.com/tdm/info/2160/
Elastic stack rule pack https://tdm.socprime.com/tdm/info/2160/