BlueKeep: Researchers show how dangerous this Windows exploit could really be

[steven36]

Researchers develop a proof-of-concept attack after reverse engineering the Microsoft BlueKeep patch.

 

 

Microsoft Windows users who are yet to patch a severe vulnerability, for which security updates were released almost two months ago, are putting themselves at risk from hackers.

 

The CVE-2019-0708 vulnerability – known as BlueKeep – was first reported in May, and allows attackers to connected to Remote Desktop Protocol services (RDP) and issue commands which could steal or modify data, install malware and conduct other malicious activities.

 

The vulnerability is considered dangerous enough that Microsoft has repeatedly told users to apply the patches and even the USA's National Security Agency (NSA) issued a public warning to patch against BlueKeep.

 

The vulnerability has similar worm-like spreading functions to EternalBlue, the leaked NSA hacking tool which powered the global WannaCry ransomware outbreak in 2017.

 

It affects computers running Windows XP, Windows 7, Windows Server 2003, and Windows Server 2008 and the risk is considered so great that Microsoft issued a patch for Windows operating systems which are now considered unsupported.

 

There's currently no sign of BlueKeep having been exploited in the wild, but security researchers at Sophos have reversed the Microsoft patch and developed a Proof-of-Concept showing how attackers could deploy an attack against RDP systems without any input from the victim required.

 

If an attacker managed to do the same, they could use BlueKeep to issue destructive commands on what's thought to be millions of Windows systems which are still vulnerable to the exploit.

 

 

Using a Windows 7 virtual machine, researchers used the accessibility features on the Windows to deploy BlueKeep to alter Windows accessibility menu to bypass security and gain access to the desktop.

 

Security experts worry the exploit could be used for anything from installing trojan malware for stealthy attacks, to deploying ransomware on compromised systems, or even just wiping entire networks. The vulnerability would be especially useful to attackers who only care about infecting as many machines as possible with no preference as to who the victims are.

 

"An attack like this falls into the category of "spray and pray" – the attackers are not choosy about who they target, and some percentage of machines will be vulnerable," said Andrew Brandt, principal researcher at Sophos.

 

Researchers won't release their proof of concept because they say doing so would be too much of a risk – but they have published a technical support bulletin with recommended actions.

 

The most critical advice is that users patch their systems to ensure that they're protected from attacks using Bluekeep, but researchers also recommended disconnecting RDP where it isn't necessary, requiring users to use a VPN to connect to an internal RDP server and to apply additional controls like multifactor authentication to machines hosting RDP services.

 

Source

[steven36]

8 minutes ago, small potatoes said:

I did patch, but was told that for my Win7 system I also need to do the registry edit thing. I was also told if I do the registry edit that my performance will be decreased, so I didnt do it. Also another reason I didnt do the reg thing is because I was told that I have as much chance of getting pwned by this BlueKeep as by getting hit by lightning, 3 times in a row. Do I understand correctly @steven36 ?

No  this is a different exploit . Your talking about side channel attacks witch have never been exploited in the wild . this here is a RDP server attack that only effects Windows 7 and older and is being exploited . It is a Virus  and nothing to play around with  but  patching  and disabling RDP  when not needed is all is required  .

[steven36]

Just now, small potatoes said:

ok my bad @steven36 I got mixed up. I do all the monthly security updates (according to Ask Woody I am in group B . I only do the monthly security updates, I do them manually and have Automatic Updates disabled. I aslo never use Remote Desktop and also it is disabled and also blocked by firewall just in case, so am I protected from this BlueKeep crap?

yes your fine against it ,

[straycat19]

4 hours ago, steven36 said:

Researchers won't release their proof of concept because they say doing so would be too much of a risk

 

Except they gave it to government entities for testing their current security procedures.

[steven36]

22 minutes ago, straycat19 said:

 

Except they gave it to government entities for testing their current security procedures.

That's different  ,  they always give POC to those who need  it  they just don't make  it public . Most POC never get disclosed to the public tell 90 days or it gets patched 1st unless a hacker drops a 0 day  .  But this one is classified away from the public . Giving it to government entities is dangerous too when they get mole in there  and decide  to leak it to the press,  that really worked out very well for them in recent years  that's  how Enteral Blue leaked after all it was a Government made virus  .