Delaware, USA – June 5, 2019 – Every day we are approaching WannaCry-like outbreak, as more and more information becomes available about the CVE-2019-0708 vulnerability aka BlueKeep. Reverse engineer Sean Dillon (Zǝɹosum0x0) developed a module for the Metasploit pentesting framework which exploits BlueKeep flaw to achieve remote code execution. The module allows the researcher to compromise Windows XP, 7 and Server 2008, since the Remote Desktop Service in these operating systems is practically the same. The exploit does not yet work on Windows Server 2003, but the Metasploit team continues to experiment. The researcher did not share the module with the cybersecurity community, as there are still too many vulnerable systems in the world, despite the fact that more than three weeks have passed since the update was released. On the recorded video, Zǝɹosum0x0 demonstrates the successful compromise of the machine with installed Windows 2008. Then he dumps admin credentials using the Mimikatz tool and gains the full control over the machine.
Despite the fact that the interest of researchers in the development of the exploit has subsided a bit, another success may encourage many of them to resume work. The Metasploit framework is popular not only among pentesters, but also among cybercriminal groups, so the news about the creation of a successfully working module will spur work on the “other side”. Probably at least one group is already preparing for attacks after scanning the Internet in search of vulnerable systems. To protect against possible attacks, you need to ensure that the necessary updates are installed on the vulnerable systems. If it is not possible to install the update and reboot the system, you can use the micropatch.
The detailed blog post to learn more about creating proactive content that detects attempts to exploit BlueKeep flaw: https://socprime.com/en/blog/proactive-detection-content-cve-2019-0708-vs-attck-sigma-elastic-and-arcsight/
Links to free detection content
Sigma by Markus Neis https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_susp_rdp.yml
Sigma by Roman Ranskyi https://tdm.socprime.com/tdm/info/2159/
ArcSight .ARB rule pack https://tdm.socprime.com/tdm/info/2160/
Elastic stack rule pack https://tdm.socprime.com/tdm/info/2160/
QRadar rule pack https://tdm.socprime.com/tdm/info/2160/