While the BlueKeep (CVE-2019-0708) vulnerability has not, to date, caused widespread havoc, and we will be looking at the reasons why in this post, it is still very early in its exploitation life cycle. The fact remains that many systems are still not patched, and a thoroughly wormable version of the exploit might still be found. Because of these factors, ESET has created a free utility to check if a system is vulnerable.
Sometimes, you have to say something about things that “go without saying” and it seems the best way to start this post is by mentioning just that, because this is not a subject I expected to have to write about in this day and age. Before we dive in, let’s begin by looking at an old maxim.
There is an old saying in the information security field that if an adversary has physical access to your computer then it is not your computer anymore. The reason for this is quite simple: once the attackers have their hands on a computer, they can change anything they want. Installing devices such as hardware keyloggers, removing disk drives and copying them, and otherwise deleting, altering or adding anything they want on the system all become exponentially easier when you can walk right up to the computer. This is not a particularly surprising turn of events, nor a particularly clever one. Rather, it is an unavoidable truth. For the adversaries, it’s just part of their job description.
Businesses and schools and all sorts of organizations are not blind to this, though. None of these kinds of places put their servers at the front desk in the lobby, reception area, visitor center, waiting room or other locations where the public or, conceivably, any employee, faculty, student, or staff may enter and gain physical access to them. Or, at least, no business that wants to remain in business allows this. Usually, there’s some separation of the servers, whether they be in their own dedicated room, or even tucked away in some back corner that is off-limits to most personnel.
Yet for all this common knowledge, the lessons learned about security in the physical world do not always transfer well (or correctly) into the internet world. There are a large number of servers running various versions of Microsoft Windows server operating systems that are directly connected to the internet with what amounts to little or no practical security around who can access them. And that brings us to the discussion of RDP.
What is RDP?
RDP, short for Remote Desktop Protocol, allows one computer to connect to another computer over a network in order to use it remotely. In a domain, computers running a Windows Client operating system, such as Windows XP or Windows 10 come with RDP client software preinstalled as part of the operating system, which allows them to connect to other computers on the network, including the organization’s server(s). A connection to a server in this case means it could be directly to the server’s operating system, or it could be to an operating system running inside a virtual machine on that server. From that connection, a person can open directories, download and upload files, and run programs, just as if they were using the keyboard and monitor connected to that server.
RDP was invented by Citrix in 1995 and sold as part of an enhanced version of Windows NT 3.51 called WinFrame. In 1998, Microsoft added RDP to Windows NT 4.0 Terminal Server Edition. Since then, the protocol has been a part of all versions of Microsoft’s line of Windows Server operating systems, as well as being included with all non-home user editions of Windows Client operating systems since Windows XP was released in 2001. Today, common users of RDP include system administrators doing remote administration of servers from their cubicles without having to go into the server room, as well as remote workers who can connect to virtualized desktop machines inside their organization’s domain.
What do attackers do with RDP?
For the past couple of years, ESET has seen an increasing number of incidents where the attackers have connected remotely to a Windows Server from the internet using RDP and logged on as the computer’s administrator. Once the attackers are logged into the server as administrator, they will typically perform some reconnaissance to determine what the server is used for, by whom, and when it is being used.
Once the attackers know the kind of server they have control of, they can begin performing malicious actions. Common malicious activities we have seen include:
- clearing log files containing evidence of their presence on the system
- disabling scheduled backups and shadow copies
- disabling security software or setting up exclusions in it (which is allowed for administrators)
- downloading and installing various programs onto the server
- erasing or overwriting old backups, if they are accessible
- exfiltrating data from the server
This is not a complete list of all the things an attacker can do, nor is an attacker necessarily going to perform all of these activities. Attackers may connect multiple times over days or just once, if they have a predetermined agenda. While the exact nature of what attackers will do varies greatly, two of the most common are:
- installing coin-mining programs in order to generate cryptocurrency, such as Monero
- installing ransomware in order to extort money from the organization, often to be paid using cryptocurrency, such as bitcoin
In some cases, attackers might install additional remote-control software to maintain access (persistence) to a compromised server in case their RDP activity is discovered and terminated.
We have not seen any servers that were compromised both to extort via ransomware and to mine cryptocurrency, but we have seen instances where a server was compromised by one attacker to mine cryptocurrency, then later compromised by other attackers who changed the coin miner so that the proceeds went to them, instead. It seems there is little honor among thieves.
Knowledge around RDP attacks has reached a point that even sextortion scammers are incorporating mention of it their ransom notes in an attempt to make their scams sound more legitimate.
Figure 1. Image from sextortion email scam mentioning RDP
Mass RDP attacks
Attacks performed with RDP have been slowly, but steadily, increasing, and subject to a number of governmental advisories from the FBI, the UK’s NCSC, Canada’s CCCS, and Australia’s ACSC, to name a few.
However, in May 2019 the floodgates opened with the arrival of CVE-2019-0708, aka “BlueKeep,” a security vulnerability in RDP affecting Windows 2000, Windows XP, Windows Vista, Windows 7, Windows Server 2003, Windows Server 2003 R2, Windows Server 2008 and Windows Server 2008 R2. On the desktop, Windows 8 and later, and on servers, Windows Server 2012 and later, are unaffected.
The BlueKeep vulnerability allows attackers to run arbitrary program code on their victims’ computers. While even individual attackers can be a widespread threat because they can use automated tools for attacks, this vulnerability is “wormable,” which means an attack could spread itself automatically across networks without any intervention by users, just as the Win32/Diskcoder.C (aka NotPetya) and Conficker worms have in the past.
Exploitation of wormable vulnerabilities is generally considered a severe issue. Microsoft has assigned the vulnerability its highest severity level of Critical in its published guidance for customers, and in the US government’s National Vulnerability Database, the entry for CVE-2019-0708 is scored as 9.8 out of 10. Microsoft issued a blog post strongly recommending that users install its patches, including those for out-of-support operating systems such as Windows XP and Windows Server 2003. Concerns about a wormable exploit were so high that, at the beginning of June, the US National Security Agency issued a rare advisory recommending installation of Microsoft’s patches for the flaw.
At the beginning of September, Rapid7, the developer of the Metasploit pentesting tool, announced the release of a BlueKeep exploit. While no major escalations in BlueKeep activity were reported for the next couple of months, this has recently changed. At the beginning of November, mass reports of BlueKeep exploitation became public, as noted by ZDNet and WIRED, amongst other news outlets. The attacks have reportedly been less than successful, with about 91% of vulnerable computers crashing with a stop error (aka bug check or Blue Screen of Death) when the attacker attempts to exploit the BlueKeep vulnerability. However, on the remaining 9% of vulnerable computers, these attackers successfully installed Monero cryptomining software. So, while not the feared wormable attack, it does appear a criminal group has automated exploitation, albeit without a high success rate.
When I originally started writing this blog post, it was not my intention to go into a detailed description of the vulnerability, nor was it to provide a timeline of its exploitation: my goal was to provide readers with an understanding of what must be done to protect themselves against this threat. So, let’s take a look at what needs to be done.
Defending against RDP-borne attackers
So, with all that in mind, what can you do? Well, the first thing, obviously, is to stop connecting directly to your servers over the internet using RDP. This may be problematic for some businesses, because there may be some seemingly legitimate reasons for this. However, with support for both Windows Server 2008 and Windows 7 ending in January 2020, having computers running these and being directly accessible using RDP via the internet represents a risk to your business that you should already be planning to mitigate.
This does not mean that you immediately need to stop using RDP, but that you need to take additional steps to secure it as soon and as quickly as possible. Toward this end, we have created a table with the top ten steps you can take to begin securing your computers from RDP-based attacks.
|Recommendation for securing RDP||Reason|
|1. Disallow external connections to local machines on port 3389 (TCP/UDP) at the perimeter firewall.*||Blocks RDP access from the internet.|
|2. Test and deploy patches for the CVE-2019-0708 (BlueKeep) vulnerability and enable Network Level Authentication as quickly as possible.||Installing Microsoft’s patch and following their prescriptive guidelines helps ensure devices are protected against the BlueKeep vulnerability.|
|3. For all accounts that can be logged into via RDP require complex passwords (a long passphrase containing 15+ characters with no phrases related to the business, product names, or users is mandatory).||Protects against password-guessing and credential-stuffing attacks. It is incredibly easy to automate these, and increasing the length of a password exponentially makes them more resistant to such attacks.|
|4. Install two-factor authentication (2FA) and at a minimum require it on all accounts that can be logged into via RDP.||Requires a second layer of authentication only available to employees via mobile phone, token or other mechanism for logging into computers.|
|5. Install a virtual private network (VPN) gateway to broker all RDP connections from outside your local network.||Prevents RDP connections between the internet and your local network. Allows you to enforce stronger identification and authentication requirements for remote access to computers.|
|6. Password-protect endpoint security software using a strong password unrelated to administrative and service accounts.||Provides an additional layer of protection should an attacker gain administrator access to your network.|
|7. Enable exploitation blocking in endpoint security software.||Many endpoint security programs can also block exploitation techniques. Verify that this functionality is enabled.|
|8. Isolate any insecure computer that needs to be accessed from the internet using RDP.||Implement network isolation to block vulnerable computer(s) from the rest of the network.|
|9. Replace insecure computers.||If a computer cannot be patched against the BlueKeep vulnerability, plan for its timely replacement.|
|10. Consider instituting geoIP blocking at VPN gateway.||If staff and vendors are in the same country, or a short list of countries, consider blocking access from other countries in order to prevent connections from foreign attackers.|
*By default, RDP operates on port 3389. If you have changed this port to a different value then that is the port that should be blocked.
This table is loosely based on order of importance and ease of implementation, but that can vary depending upon your organization. Some of these may not be applicable to your organization, or it may be more practical to do them in a different order, or there may be additional steps your organization needs to take.
You should verify that your endpoint security software detects the BlueKeep vulnerability. BlueKeep is detected as RDP/Exploit.CVE-2019-0708 by ESET’s Network Attack Protection module, which is an extension of ESET’s firewall technology present in ESET Internet Security and ESET Smart Security Premium for consumers, and ESET’s endpoint protection programs for businesses.
Figure 2. ESET Antimalware technology explained: Network Attack Protection
It should be noted, though, that there are scenarios where detection may not occur, such as the exploit first crashing the system because it is unreliable. In order for it to be more effective, it would need to be paired with another exploit, such as an information disclosure vulnerability that reveals kernel memory addresses so that they no longer need to be guessed. This could reduce the amount of crashes, as the current exploit performs such a large heap spray.
If you are using security software from another vendor check with them to see if BlueKeep is detected and how.
Keep in mind, these steps represent only the beginning of what you can do to protect against RDP attacks. While having detection for attacks is a good start, it is not a substitute for patching or replacing vulnerable computers. Your information security staff and trusted security partners can provide you with additional guidance specific to your environment.
Using ESET’s BlueKeep (CVE-2019-0708) vulnerability checker
ESET has released a free BlueKeep (CVE-2019-0708) tool to check if a computer running Windows is vulnerable to exploitation. As of the time of publication, the tool can be downloaded from:
|Program||ESET BlueKeep (CVE-2019-0708) vulnerability checker|
(Be sure to check ESET’s Tools and Utilities page for newer versions)
This program has been tested against 32-bit and 64-bit versions of Windows XP, Windows Vista, Windows Server 2003, Windows Server 2003 R2, Windows Server 2008 and Windows Server 2008 R2 before and after applying Microsoft’s updates for BlueKeep. To use the program, run the executable. There are no command-line arguments for use with the initial release.
When run, the program will report if the system is vulnerable to exploitation, if the system is patched against exploitation, or if the system is not vulnerable to BlueKeep exploitation. In the event the system is vulnerable, the tool will take the user to the web page to download the appropriate patch on Microsoft’s web site.
While this is a single-purpose tool intended for personal use and is not intended to be deployed for mass use in an automated environment, it does have limited error reporting. For scripting, the tool returns an ERRORLEVEL of zero if the system is protected, and one if it is vulnerable or an error has occurred.
Figure 3. Example of running tool on unpatched Windows 7 system
Figure 4. Example of running tool on patched Windows 7 system
Figure 5. Example of running tool on non-vulnerable Windows 10 system
Final thoughts and additional reading
While BlueKeep exploitation may never become widespread, its inclusion in pentesting tools means that it will become a permanent part of in-house security tests. So, the real solution to preventing BlueKeep exploitation is to remove vulnerable devices from your company’s network.
However, it may not always be possible to do so because a vulnerable device occupies a critical role in the business, because of cost, or for other reasons. We have long advocated taking a layered approach to security, and protecting against BlueKeep is no exception. In fact, some of the steps outlined above, for example, installing a 2FA application such as ESET Secure Authentication, may help secure your networks from intruders and other threats as well.
Further information about RDP and BlueKeep can be found at:
- CSO Online. Microsoft urges Windows customers to patch wormable RDP flaw. (15 May 2019)
- Description of the security update for the remote code execution vulnerability in Windows XP SP3, Windows Server 2003 SP2, Windows Server 2003 SP2 R2, Windows XP Professional x64 Edition SP2, Windows XP Embedded SP3, Windows Embedded POSReady 2009, and Windows Embedded Standard 2009. (17 June 2019)
- Customer guidance for CVE-2019-0708 | Remote Desktop Services Remote Code Execution Vulnerability: May 14, 2019. (14 May 2019)
- CVE-2019-0708 | Remote Desktop Services Remote Code Execution Vulnerability. (14 May 2019)
- Configure Network level Authentication for Remote desktop Services Connections. (13 June 2013)
- CVE-2019-0708. (undated)
- NSA Cybersecurity Advisory: Patch Remote Desktop Services on Legacy Versions of Windows. (4 June 2019)
- An update on the Microsoft Windows RDP “BlueKeep” Vulnerability (CVE-2019-0708) [now with pcaps]. (22 May 2019)
- US-CERT, Technical Alert AA19-168A: Microsoft Operating Systems BlueKeep Vulnerability. (17 June 2019)
- First BlueKeep attacks prompt fresh warnings. (11 November 2019)
- Microsoft warns of new BlueKeep-like flaws. (15 August 2019)
- BlueKeep patching isn’t progressing fast enough. (17 July 2019)
- NSA joins chorus urging Windows users to patch ‘BlueKeep’. (6 June 2019)
- Patch now! Why the BlueKeep vulnerability is a big deal. (22 May 2019)
- Intense scanning activity detected for BlueKeep RDP flaw. (26 May 2019)
Special thanks to my colleagues Alexis Dorais-Joncas, Bruce P. Burrell, Nick FitzGerald, Matúš P., Peter R., Peter Stančík, Štefan S., and other colleagues from ESET for their assistance with this article.
MITRE ATT&CK techniques
|Initial Access||T1076||Remote Desktop Protocol||BlueKeep leverages a vulnerability in Remote Desktop Protocol.|
|T1133||External Remote Services||BlueKeep exploits public-facing RDP servers on the Internet.|
|Command and Control||T1071||Standard Application Layer Protocol||BlueKeep uses port 3389 by default for command and control.|
|T1043||Commonly Used Port||BlueKeep uses port 3389 by default for attack targeting.|
|Lateral Movement||T1210||Exploitation of Remote Services||BlueKeep exploits public-facing RDP servers on the Internet.|
|Mitigation||M1035||Limit Access to Resource Over network||Prevent BlueKeep ingress though use of VPN gateway.|
|M1050||Exploit Protection||Prevent BlueKeep ingress through use of exploit protection in endpoint security.|
|M1032||Multi-factor Authentication||Use MFA for all logins performed via RDP.|
|M1031||Network Intrusion Prevention||Prevent BlueKeep ingress through use of network protection in endpoint security.|
|M1051||Update Software||Prevent BlueKeep exploitation via install of CVE-2019-0708 patch or upgrade to non-vulnerable operating system version.|
|M1049||Antivirus/Antimalware||Prevent BlueKeep attack code from running through use of endpoint security.|