The BlueKeep exploit is a tool threat actors can use to take advantage of a bug in Microsoft’s Remote Desktop Protocol (RDP) implementation. For the less initiated, RDP is a Microsoft operating system (OS) feature that allows users to establish remote connections from one computer to another via a user-friendly interface.
Using BlueKeep enables attackers to take control of a target server, allowing them to do anything to it.
Read More about “BlueKeep Exploit”
The BlueKeep exploit was discovered in May 2019, and threat actors have been abusing the vulnerability it attacks to gain control of target systems since.
What OSs Does the BlueKeep Exploit Affect?
The BlueKeep exploit can be used on practically every Microsoft OS released from 2000 to 2010. While Microsoft released a patch for the vulnerability as early as 14 May 2019, many systems remained unpatched and prone to compromise.
Over time, DejaBlue, vulnerabilities akin to the ones BlueKeep exploits, were reportedly seen in newer Windows versions (from Windows 7 to 10); a patch for these was also released on 13 August 2019.
Who Discovered CVE-2019-0708?
CVE-2019-0708, the vulnerability that BlueKeep exploits, was discovered by the U.K. National Cyber Security Centre. Security researcher Kevin Beaumont gave it the name “BlueKeep” on Twitter.
How Does the BlueKeep Exploit Work?
The following diagram shows a sample attack taking advantage of the BlueKeep bug:
The attackers begin by obtaining the BlueKeep exploit. They then choose an unpatched server to plant it on. In the diagram above, the threat actors have two goals—plant the data-stealing malware Kodiac and LazyKatz to gather credentials and create their own accounts on the network to spy on the network users. Part of the spying means moving from one system to another (lateral movement), and attackers would have to use the credentials they stole to do that.
Why Should You Care about Preventing BlueKeep Exploitation?
According to Microsoft, the BlueKeep vulnerability is dangerous because it is “wormable.” That means it could allow threat actors to spread malware from one computer to another.
National security agencies also urged users to patch because cybercriminals can exploit BlueKeep remotely. If attackers manage to do so, they can spread ransomware and other malicious code throughout a target network, allowing all affected computers to get infected.
Have Attackers Used the BlueKeep Exploit?
The first BlueKeep attack was reported in November 2019. But it wasn’t as bad as people expected since threat actors only used the exploit to install a cryptocurrency miner onto vulnerable systems. The malware just leeched off power from the infected computers for coin mining.
When Microsoft released the BlueKeep patch, only a proof-of-concept (PoC) attack was done. That showed the worst-case scenario akin to the WannaCry and NotPetya attacks in 2017.
How Can You Protect against the BlueKeep Exploit?
All organizations that allow RDP use on Windows systems are vulnerable to the BlueKeep exploit. But attacks targeting CVE-2019-0708 are preventable if you follow these best practices:
- Install the BlueKeep patch available here on all Windows 2000 to Windows 10 systems. Enable regular patching as well.
- Disallow or at least secure RDP usage. One way to do that is by blocking access to port 3389 when it is not in use.
- Enable network-level authentication (NLA) to prevent attackers from exploiting the BlueKeep bug on Windows 7 and Windows Server 2008 systems.
- Enforce the least-privilege principle. Encryption, lockout policies, and other permission- or role-based access controls can provide additional layers of protection.
One of the ways to prevent BlueKeep exploitation is turning off RDP on all network-connected systems. That requires limiting administrative access to IT administration and/or security personnel.
Follow the steps below for various Windows OS versions to turn off RDP.
|Windows 10||Windows 7 and 8||Windows XP|
|Click the Windows Start button.Type “Allow Remote Access to your computer.” You should see the remote settings dialog box in System Properties.Untick “Allow Remote Assistance connections to this computer.”Select “Don’t allow remote connections to this computer” under Remote Desktop then click OK.||Click the Start button then Control Panel.Open System and Security.Select System in the right pane.Select Remote Settings from the left pane to open the System Properties dialog box for the Remote tab.Click “Don’t Allow Connections to This Computer” then “OK.”Untick “Allow Remote Assistance connections to this computer.”||Right-click the My Computer icon on your desktop.Choose Properties.Click the Remote tab.Untick “Allow users to connect remotely to this computer” under the Remote Desktop section.Untick “Allow remote Assistance invitations to be sent from this computer.”|
Whether or not BlueKeep vulnerability exploitation could have truly disastrous consequences, patching is still a must. Attackers will always find ways to gain access to and take control of target systems, don’t let them use BlueKeep against you.