Delaware, USA – May 21, 2019 – Last week, Microsoft released a patch for the critical vulnerability (CVE-2019-0708 aka BlueKeep) in Remote Desktop Services which allows adversaries to connect to a target system via RDP and gain full access without authentication. This vulnerability affects the old versions of the operating system: Windows XP, Vista, Windows 7, Windows Server 2003 and 2008. Microsoft called this vulnerability ‘wormable’ and told that the world may already be on the brink of next WannaCry or NotPetya outbreaks. Indeed, according to Shodan, there are more than 2 million potentially vulnerable systems accessible through the Internet in the world, even if most of them can’t be a target of the exploit, the consequences of an attack can be destructive.
Since the release of the patch, researchers have been trying to create working Proof-of-Concept exploits for this vulnerability. On the next day, the zero-days acquisition platform Zerodium confirmed the possibility of exploiting the vulnerability. On Saturday security researcher Valthek announced the successful creation of PoC and the efficiency of his code was confirmed by the senior principal engineer of McAfee, Christiaan Beek. Valthek has not published the code, and researchers continue to try to create their own PoC. You can track the publication of exploits for BlueKeep on GitHub here: https://twitter.com/BlueKeepTracker
However, according to experts, at the moment there is only one working version. So far, the exploitation of this vulnerability in the wild has not been detected, but it is unlikely that we have months to prepare for attacks. You can learn about creating proactive detection content for BlueKeep vulnerability on our blog: https://socprime.com/en/blog/proactive-detection-content-cve-2019-0708-vs-attck-sigma-elastic-and-arcsight/
Links to free detection content
Sigma by Markus Neis https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_susp_rdp.yml
Sigma by Roman Ranskyi https://tdm.socprime.com/tdm/info/2159/
ArcSight .ARB rule pack https://tdm.socprime.com/tdm/info/2160/
Elastic stack rule pack https://tdm.socprime.com/tdm/info/2160/