What is BlueKeep and how to scan and patch it.
It has recently been discovered that nearly one million Windows PCs are vulnerable to BlueKeep, a vulnerability in the Remote Desktop Protocol (RDP) service impacting older versions of the Windows OS.
Microsoft describes BlueKeep as a remote code execution vulnerability that exists in Remote Desktop Services, formerly known as Terminal Services, when an unauthenticated attacker connects to the target system using RDP the attacker then send specially crafted requests.
This vulnerability serves as a pre-authentication and requires no user interaction. An attacker who successfully exploits this vulnerability could execute arbitrary code on the target system. The can then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would need to send a specially crafted request to the target systems Remote Desktop Service via RDP.
BlueKeep, which is tracked as CVE-2019-0708, has been keeping security teams and specialists on their toes for the past three months.
The vulnerability was first discovered on the May 2019 Patch, which was released on Tuesday 28 May. Since then, Microsoft has released patches to combat this flaw in their systems. However, just when we all thought it was safe to breathe again, Microsoft announced that the BlueKeep flaw is wormable. This means that a smart hacker could alter the already dangerous flaw to self-replicate and spread on its own.
This would be similar to how hackers used the EternalBlue SMB exploit during the WannaCry, NotPetya, and Bad Rabbit ransomware outbreaks of 2017.
As of this time, we do not know who is behind the attacks but we are quite sure that they will be found sooner rather than later.
How Can I Test Which Hosts Are Vulnerable?
Robert Graham developed a simple assessment tool called RDPScan that the Huntress ThreatOps team used to remotely detect which externally facing hosts were vulnerable. This same tool can be used to locally determine if a Windows computer/server is vulnerable.
To do this, perform the following steps:
- Download the RDPScan tool from GitHub.
- Extract the application from the downloaded .ZIP archive to a location of your choice.
- Open a command prompt and navigate to the directory where you extracted rdpscan.exe.
- Type the command rdpscan.exe localhost to test whether this host is vulnerable BlueKeep.
- If vulnerable, RDPScan will report VULNERABLE—got appid – Please follow the instructions from Microsoft to patch your system.
The Good News
The good news is that if you are on our managed service agreement, we are working hard to make sure the patches have been applied to your environment. So you can rest easy knowing that our A Team is securing you and your environment from BlueKeep.
If you are not on our managed service agreement, do not fear. We are here to help you and make sure you are secure once again. Our A Team are currently scanning the internet for open RDP ports, testing for BlueKeep and notifying the owners to get patched up.
If you are not covered with our managed service agreement, you can follow up with Microsoft to patch your system.
Get in contact with us and let’s make sure you are protected from this and any future attacks that are inevitably going to affect us.