According to some reports, there are many unpatched RDP servers although some experts and government agencies issue warnings. Sophos records a BlueKeep proof-of-concept video to show how it is dangerous. Now, let’s go to learn some details on the BlueKeep exploit attack.
BlueKeep, also known as CVE-2019-0708, is a vulnerability in Remote Desktop Protocol (RDP) service, which was first reported in May.
This bug could let attackers use a worm-like exploit to connect to RDP and give a command to modify or steal data, install malware, and even control machines running unpatched older Windows operating systems.
This BlueKeep exploit is dangerous. Microsoft warns users to apply the patches, Sophos also gives a warning. Besides, the U.S. National Security Agency (NSA) and the Department of Homeland Security have also issued alerts to patch against BlueKeep.
BlueKeep will impact computers that are running Windows XP, Windows 7, Windows Server 2003 and Windows Server 2008. The risk is dire so Microsoft releases a patch for these unsupported operating systems.
Microsoft warns a wormable Remote Desktop Services security flaw that could lead to another WannaCry and releases patches for infected old systems.
Currently, BlueKeep hasn’t been exploited but the Sophos researchers reverse Microsoft’s patch and create a proof-of-concept (PoC) to show how attackers deploy a BlueKeep attack against RDP.
Sophos Creates PoC for BlueKeep Exploit
To demonstrate a BlueKeep bug, researchers spend weeks in reverse-engineering the patch released by Microsoft in May. According to the blog article of Andrew Brandt from Sophos, if attackers use the code developed by Sophos, they could launch a command shell before going to the Windows login screen.
In a Sophos’ video, researchers use another trusted Windows component – command shell or cmd.exe to replace an executable called utilman.exe (part of Windows used to enable and disable accessibility features).
Then, an attacker can use Windows + U keys or an icon on the login screen to invoke some accessibility functions. According to this security company, ultiman.exe has system level privileges.
The special attack works in a “completely fileless fashion” and simply connect over the vulnerable Remote Desktop Protocol to gain full control without deploying any malware and requiring an active session.
Besides, the blog also says a malicious threat actor is able to fully automate the entire attack chain with little effort, for example, type commands to the shell or pass commands to it, which is extremely bad since it allows attacking any system hosting RDP to the outside world.
This attack can be put in the category – spray and pray. That is, attackers don’t choose the target and some percentage of machines will be impacted.
Sophos researchers don’t decide to release the BlueKeep proof-of-concept since this could be too risky. However, a technical support report is given by this company, showing recommended measures.
The best way to protect users from attack is to patch all impacted computers against this exploit. To mitigate this threat over time, some new protections are also offered:
- Users can disable RDP, then the vulnerability couldn’t be used.
- Users can reach an internal RDP server by using a VPN.
- Block inbound network traffic on 3389/TCP at the firewall.
- Apply other controls like multifactor authentication to all computers that host RDP services.
- Enable Network-level authentication on affected machines to prevent attackers from using the vulnerability.
- Assess systems in the internal network to check which machines are vulnerable. If they can’t be patched, isolate them in a restrictive WLAN.