Delaware, USA – May 29, 2019 – Robert Graham from Errata Security published research that clarified the number of vulnerable systems to CVE-2019-0708 (aka BlueKeep). Despite the fact that two weeks have passed since the update was released, and all media resources literally scream about the danger of this vulnerability, about 950,000 unpatched systems with open port 3389 were found on the public Internet. The researcher conducted a series of scans to determine the degree of threat most accurately, while able to determine the number of patched systems as well, which turned out to be about one and a half million. Due to the limited possibilities of such a scan, it is impossible to say how many vulnerable systems without access to the Internet are located in organizations. Robert Graham emphasizes that one vulnerable machine is enough to be infected with a worm which can use for further spreading within the organization’s network other methods of self-propagation, as it was during the NotPetya outbreak.
Last week, Siemens released 6 security alerts regarding medical equipment produced by the company that is vulnerable to BlueKeep flaw (1, 2, 3, 4, 5). Where possible, the company recommends installing Microsoft updates or disabling RDP and closing TCP port 3389, Siemens also promises to release updates for the vulnerable products in the near future.
It is not known how much time is left to install updates before the next attack. Unknown threat actor hiding behind the Tor network has been scanning the Internet for several days in search of vulnerable systems, and new repositories of researchers working to create a working exploit continue to appear on GitHub.
The detailed blog post to learn more about creating proactive content that detects attempts to exploit BlueKeep flaw: https://socprime.com/en/blog/proactive-detection-content-cve-2019-0708-vs-attck-sigma-elastic-and-arcsight/
Links to free detection content
Sigma by Markus Neis https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_susp_rdp.yml
Sigma by Roman Ranskyi https://tdm.socprime.com/tdm/info/2159/
ArcSight .ARB rule pack https://tdm.socprime.com/tdm/info/2160/
Elastic stack rule pack https://tdm.socprime.com/tdm/info/2160/