813-999-0631 info@tetratos.com
‘BlueKeep’ Windows Remote Desktop flaw gets PoC exploits

May 23, 2019

Multiple researchers created proof-of-concept exploits, including remote code execution attacks, targeting the recently patched Windows Remote Desktop flaw called BlueKeep.

Microsoft patched a critical Windows Remote Desktop vulnerability last week and the risks of attacks in the wild have since grown as multiple researchers have created proof-of-concept exploits.

The Windows RDP flaw, dubbed “BlueKeep” by British security researcher Kevin Beaumont, gained notoriety because when Microsoft patched it, Simon Pope, Microsoft Security Response Center director of incident response, wrote in an advisory that malware exploiting the vulnerability could spread in the same worm-like fashion as WannaCry because an exploit would require no user interaction. Microsoft even took the rare step — as it did with WannaCry — to release patches for otherwise unsupported Windows XP and Server 2003 systems.

Since the BlueKeep patch was released on May 14, Beaumont has tracked the progress of security researchers. Although fake proof of concept (PoC) exploits was uploaded to GitHub almost instantly, it wasn’t until the 19th that working denial-of-service exploits were created by McAfee and Zerodium, followed by Kaspersky Labs researcher Boris Larkin on the 20th.

On May 21, McAfee researchers described a BlueKeep PoC exploit it created capable of remote code execution (RCE), but did not release the code under concern that it would “not be responsible and may further the interests of malicious adversaries.”

“With our investigation we can confirm that the exploit is working and that it is possible to remotely execute code on a vulnerable system without authentication. Network Level Authentication should be effective to stop this exploit if enabled; however, if an attacker has credentials, they will bypass this step,” McAfee researchers wrote in a blog post. “We are urging those with unpatched and affected systems to apply the patch for CVE-2019-0708 as soon as possible. It is extremely likely malicious actors have weaponized this bug and exploitation attempts will likely be observed in the wild in the very near future.”

Beaumont said on Twitter that McAfee, Zerodium and Qihoo 360 all have RCE BlueKeep PoC exploits — though they have only been demoed and no PoC code has been released — but he noted that Qihoo 360 security researcher Zheng Wenbin, known as MJ0011, was a step ahead because that RCE exploit could run on Windows 7. Earlier today, Wenbin showed off a stable RCE demo running on Windows 7 x64.

As yet, no BlueKeep attacks have been seen in the wild, but researchers at Proofpoint have seen low levels of scanning activity looking for vulnerable systems.

“We have started to observe BlueKeep CVE-2019-0708 scanning activity, likely due to the public release of a scanner and/or Qihoo360’s CERT tool going live. Beginning (roughly) around May 22nd, 2 pm UTC-7. Nothing to be majorly concerned about right now, the volume is incredibly low,” Proofpoint researcher sudosev tweeted. “Since volume is so low, I wouldn’t be surprised if this is scanner testing as opposed to somebody genuinely mass hunting for vulnerable servers, don’t get into a panic over this.”

Related Articles

New Microsoft Excel Attack Surfaces

New Microsoft Excel Attack SurfacesResearchers have identified a security hole in Microsoft Office’s Excel spreadsheet program that allows an attacker to trigger a malware attack on remote systems. A feature in Microsoft Office’s Excel spreadsheet program called Power...

Malicious URL attacks using HTTPS surge across the enterprise

Malicious URL attacks using HTTPS surge across the enterpriseCyberattacks launched against the enterprise which makes use of the HTTPS protocol are increasing alongside spoofing and cloud-based threats, new research suggests. According to FireEye's Q1 2019 Email...

Stay Up to Date With The Latest News & Updates

Join Our Newsletter

Get weekly tech updates and immediate alerts when there is a zero-day or security issue!

Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates from our team.

You have Successfully Subscribed!

Pin It on Pinterest

Share This