BRATISLAVA, SAN DIEGO — ESET has just released a free BlueKeep (CVE-2019-0708) tool to check whether a computer running Windows is safe against exploitation of the vulnerability. Brute-force attacks and the BlueKeep exploit use direct Remote Desktop Protocol (RDP) connections and allow attackers to perform widespread malicious activities misusing the victim’s servers.
“While the BlueKeep vulnerability has not, to date, wreaked widespread havoc, it is still very early in its exploitation life cycle,” explains ESET Distinguished Researcher Aryeh Goretsky. “The fact remains that many systems are still not patched, and a thoroughly wormable version of the exploit might still be found,” he adds.
RDP allows one computer to connect to another over a network in order to use that network remotely. For the past two years, ESET has seen an increasing number of incidents in which attackers have connected remotely to a Windows server from the internet using RDP. Attackers logged on as the computer’s administrator can then perform a variety of malicious actions, including downloading and installing programs onto the server, disabling security software or exfiltrating data from the server. While the exact nature of what attackers may do varies greatly, two of the most common practices are installing coin-mining programs in order to generate cryptocurrency and installing ransomware in order to extort money from the organization.“
Attacks performed with RDP have been slowly, but steadily, increasing, and have been the subject of a number of governmental advisories in the US, UK, Canada and Australia, just to name a few,” says Goretsky. “The arrival of BlueKeep opened floodgates for further attacks. This vulnerability could become wormable, which means an attack could spread itself automatically across networks without any intervention by users,” warns Goretsky.
Microsoft has assigned the BlueKeep vulnerability its highest severity level of Critical in its published guidance for customers, and in the US government’s National Vulnerability Database, the entry for CVE-2019-0708 is scored as 9.8 out of 10.
“Users should stop connecting directly to their servers over the internet using RDP. Understandably, this may be problematic for some businesses. However, with support for both Windows Server 2008 and Windows 7 ending in January 2020, having computers running these programs represents a risk to your business that you should already be planning to mitigate,” recommends Goretsky.
For more details about the BlueKeep vulnerability, the ESET evaluation tool and Remote Desktop Protocol types of attacks, read the blog post, It’s time to disconnect RDP from the internet, on WeLiveSecurity. Make sure to follow ESET Research on Twitter for the latest news from ESET Research.