Microsoft patched a critical Remote Desktop Services Remote Code Execution Vulnerability this past May, 2019. Identified as CVE-2019-0708, and also known as BlueKeep, this remote code execution vulnerability can be exploited when an unauthenticated attacker connects to a target system using RDP and then sends specially crafted requests. This vulnerability exists pre-authentication and requires no user interaction. An attacker who successfully exploits this vulnerability could then execute arbitrary code on the target system.
Microsoft considered this vulnerability so serious that they even released patches for non-supported operating systems. BlueKeep has the potential to become a wormable event, meaning that some malware exploiting this vulnerability could also propagate from one vulnerable computer to another without user intervention, similar to the way WannaCry did in 2017. In fact, a public exploit module for the BlueKeep vulnerability was added to the open-source Metasploit penetration testing framework in September.
It is now being reported that BlueKeep attacks have started. Security researcher, Kevin Beaumont, has noted that honeypots he had setup for the purpose of spotting exploitation have now been exploited. BlueKeep artifacts have been found in the memory of these honeypots along with a shellcode for dropping a Monero Miner. Fortunately, these attacks are not deemed wormable, at least yet, but they instead exploit the BlueKeep vulnerability to simply install cryptominer malware on infected systems. Read Kevin’s research write-up, Blue Keep exploitation activity seen in the wild.
The FortiGuard Labs team recommends that customers immediately apply the latest patches from Microsoft for CVE-2019-0708 on any affected machines, and where possible, also disable RDP completely. Clearly, hackers have begun to focus on this vulnerability, and because it has the potential to become a highly destructive global event, all due care needs to be taken to prevent exploitation. Patching is the #1 protection measure for BlueKeep, and needs to be prioritized.
FortiGuard Labs has an IPS signature available to detect possible attacks against this Remote Code Execution vulnerability in Microsoft Remote Desktops: MS.Windows.RDP.CVE-2019-0708.Remote.Code.Execution
FortiGuard Labs will also continue to closely monitor this event for any developments, and we will provide updates to this blog should they become necessary.
Read about the FortiGuard Security Rating Service, which provides security audits and best practices.