Delaware, USA – May 27, 2019 – Cybersecurity company GreyNoise Intelligence detected scans for systems vulnerable to CVE-2019-0708 flaw also known as BlueKeep. Researchers spotted sweeping tests from several dozen hosts around the Internet. All of them are exiting Tor nodes and it seems like a single threat actor conducts reconnaissance preparing for the attack. Andrew Morris, founder of GreyNoise Intelligence, have told that threat actor uses Metasploit module to make these scans. At the moment, the scans are still continuing but attempts to exploit the vulnerability in the wild have not yet been discovered. However, it is only a matter of time when the attackers will move from reconnaissance to action.
So far, there is no publicly accessible working exploit for this vulnerability, but security researchers continue to upload experimental versions on GitHub repositories. Several companies have already confirmed that the exploit already exists, but in order not to help the adversaries, they do not post any information about it in open access, of course, this will not stop state-sponsored hacking groups from developing and using their own. It is not known how much time we have to install updates on all vulnerable systems. To ensure that the required updates are correctly installed on all systems in your organization, you can use the free tool by Sean Dillon: https://github.com/zerosum0x0/CVE-2019-0708
You can also read the detailed blog post to learn more about creating proactive content that detects attempts to exploit BlueKeep flaw: https://socprime.com/en/blog/proactive-detection-content-cve-2019-0708-vs-attck-sigma-elastic-and-arcsight/
Links to free detection content
Sigma by Markus Neis https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_susp_rdp.yml
Sigma by Roman Ranskyi https://tdm.socprime.com/tdm/info/2159/
ArcSight .ARB rule pack https://tdm.socprime.com/tdm/info/2160/
Elastic stack rule pack https://tdm.socprime.com/tdm/info/2160/