In May 2019, Microsoft released security updates for CVE-2019–0708, an unauthenticated, SYSTEM-level, network-based remote code execution (RCE) vulnerability. This vulnerability has been widely dubbed “BlueKeep”.
Recently BlueKeep has been in the news again due to signs of possible renewed threat actor interest and activity exploiting the vulnerability.
This blog provides background on the vulnerability and an update on the threat landscape based on analysis by the Proofpoint Threat Insight Team.
BlueKeep is a Use After Free (UAF) vulnerability in Microsoft Windows Remote Desktop Services, a network service widely used across the internet for remote access and management that listens on TCP and UDP port 3389 (TCP and UDP are protocols used for network communications).
Successfully exploiting the vulnerability could enable an attacker to run code on a vulnerable system in the same security context as the operating system – in practical terms, this means that the code potentially has complete control over the system. The nature of the vulnerability is such that an attacker would only have to deliver specially crafted Remote Desktop Protocol (RDP) network packets to the vulnerable system. Once the vulnerable system received and processed the malicious packets, the system would either crash with a so-called “Blue Screen of Death (BSoD)” or run the attacker’s code as the operating system.
All of these factors give BlueKeep a 10.0 score on the Common Vulnerabilities Scoring System (CVSS) making it a plausible candidate for self-propagating attacks on par with some of the highest impact vulnerabilities we’ve seen, like WannaCry and CONFICKER. In a word, there was concern that BlueKeep could be “wormable,” as journalist Brian Krebs labeled it.
It is important to note that BlueKeep only affects Microsoft Windows XP, Windows Server 2003, Windows Vista, Windows 7, and Windows Server 2008. The latest versions of Microsoft Windows are not vulnerable to BlueKeep. And, in fact, most versions that are vulnerable are no longer supported by Microsoft.
Because of the severity of the vulnerability, however, Microsoft took the highly unusual step of releasing security updates for the out-of-support versions of Microsoft Windows, which remain extensively deployed in legacy environments worldwide. As detailed in Knowledge Base Article 4500705, Microsoft made security updates available for Windows XP, Windows Server 2003, and Windows Vista.
Because of the severity and exploitability of these vulnerabilities, Microsoft and others sounded an urgent call to action for everyone to apply security updates, especially those on out-of-date operating systems like Windows XP.
Since the release, the industry and research community have been on high alert for any signs of possible widespread exploitation of these vulnerabilities.
After months of little detectable movement around the BlueKeep vulnerability, researchers confirmed increased activity around BlueKeep exploitation with successful attacks leading to the installation of a coinminer. Later, Microsoft confirmed these findings in their own posting. Microsoft’s research also showed that activity was primarily affecting systems in France, Russia, Italy, Spain, Ukraine, Germany, the United Kingdom.
One very important detail that these researchers called out is that they did not observe any “worm”-like behavior in these attacks: the attacks appeared to be directed rather than automated.
This led immediately to increased concerns and a renewed call for people who had not already applied appropriate security updates to do so.
The Proofpoint Threat Insight team has been monitoring the BlueKeep situation closely, especially since the increased activity in early November. Our research team has four findings.
- BlueKeep exploitation attempts have not spiked again since early November. In fact, our data shows that BlueKeep activity after the November spike is consistent with prior activity.
- There is no indication of any attempts at automation of BlueKeep attacks.
- There is no indication of any significant, specific malware campaigns using BlueKeep beyond the coinmining malware that’s already been observed.
- BlueKeep exploitation attempts are heavily focused in Europe, consistent with the data others have presented. Our researchers have found a possible “staging server” for BlueKeep attacks in Italy with malware that includes executables and documents.
Taken together, this data tells us that while the BlueKeep vulnerability is a serious vulnerability and still poses a threat, that threat is not being fully leveraged at this time.
The activity levels, geographic isolation, relative unsophistication, and lack of automation associated with recent BlueKeep attacks suggest that BlueKeep will remain a relatively low-level threat in the short and medium-term. As more and more organizations update their vulnerable systems and reduce the viable attack surface, the chances of a large-scale attack against BlueKeep diminish over time.
While BlueKeep appears to be fading as a broad threat, it remains a feature of the landscape that organizations should continue to monitor. Because this threat disproportionally affects out-of-support software, a particular area of risk this threat poses is to networks and otherwise patched systems from unsecured, unpatched, or unknown legacy systems. This vulnerability could still be used in a way where a small number of infected systems on a network crippled the network through heavy traffic like we saw with Conficker. In this case, it’s best to think less about the risk TO vulnerable systems and more about the risk FROM vulnerable systems.
To better protect themselves, organizations should evaluate and implement the following three steps:
- Organizations should restrict access to RDP ports (TCP and UDP 3389) on their systems and networks from unknown sources as a best practice.
- Organizations that have out-of-support systems like Windows XP and Windows Server 2003 should retire those systems where possible. Where such legacy systems must be maintained, organizations should apply the security updates available and isolate those systems as much as possible.
- Organizations in Europe should maintain a heightened state of watch for possible BlueKeep activity.
The Proofpoint Threat Insight Team is continuing to monitor this situation and will provide any additional updates as needed.
Proofpoint customers are protected against known BlueKeep attacks with the following ET Pro IDS signatures:
2836767 ETPRO TROJAN Redkeeper/Bluekeep CVE-2019-0708 Probing
2027369 ET EXPLOIT [NCC GROUP] Possible Bluekeep Inbound RDP Exploitation Attempt (CVE-2019-0708)