Date: 07th June 2019
Summary: A critical vulnerability has been discovered in several versions of Microsoft Windows affecting both desktop and server versions of the operating system. The vulnerability, discovered by the UK National Cyber Security Centre (NCSC), has become known as ‘BlueKeep’. Microsoft has released critical patches for Windows 7 and XP systems.
The US National Security Agency (NSA) have added that the vulnerability can also be used as a worm-able exploit, meaning it can self-propagate from machine to machine once inside a network.
The vulnerability is so critical because it can be exploited without any user interaction and before any authentication takes place.
Conclusions: The unusual public intervention of several state intelligence agencies suggests that exploitation of the vulnerability is either imminent or underway by state sponsored and organised crime threat actors.
The vulnerability has raised heightened concern since the 2017 outbreak of WannaCry malware, which exploited a similar weakness to infect millions of Windows computers, and despite patches being made available still caused widespread global disruption and data loss in many organisations including the UK’s National Health Service.
Tactics, Techniques and Procedures: The exploitation is realised through the creation of a specially crafted request to the target systems Remote Desktop service. Once exploited, the attacker has full access over the affected system. No authentication or user interaction is required.
A Proof of Concept exploit was recently developed by a researcher and demonstrated that a targeted machine could be fully taken over in 22 seconds. A Metasploit module has been created, but due to the inherent risks of releasing a working exploit to vulnerable machines, it has been kept private.
Indicators of Compromise: At this stage, this is a vulnerability and an active campaign has not been identified, therefore IP addresses, files and registry keys are not yet available. The following general indicators may indicate an attack using the vulnerability:
- IP Address sweeps on Remote Desktop network ports indicates active reconnaissance of systems.
- Suspicious registry, system file, services, application file, log file changes, unexpected shutdowns or file encryption on systems with externally facing Remote Desktop services may indicate a successful compromise and subsequent malware infection.
Vulnerable Software Versions:
- Microsoft Windows XP
- Microsoft Windows Vista
- Microsoft Windows 7
- Microsoft Windows Server 2003
- Microsoft Windows Server 2008
- Microsoft Windows Server 2008 R2
Invinsec strongly recommends the following immediate activities:
- Block port TCP 3389 on perimeter firewalls and personal firewalls on Windows Laptops
- Apply critical Microsoft patches (we recommend using emergency patching processes to expedite roll out and not waiting for monthly patching cycles)
- Disable Remote Desktop services on all systems which do not require them
- Enable Network Level Authentication for Remote Desktop on all systems
Invinsec strongly recommends the following activities as soon as possible.
- Upgrade unsupported Windows versions to the latest edition (Windows 10, Windows Server 2019)
- Upgrade Windows 7 to Windows 10 (Windows 7 support ends in January 2020)
Invinsec recommends prioritising these actions as follows:
1. Externally facing Windows systems which use Remote Desktop
2. Critical infrastructure such as Domain Controllers and file servers
3. Non critical internal servers which use Remote Desktop
4. Desktop systems