What is BlueKeep?

Blue keep is the infamous fault that impacts all Windows OS, particularly the service of windows OS called RDP. The fault affects all the computers that could lead to major attack and breach. First reported in May 2019, it exists in all unrepaired Windows NT-based versions of Microsoft Windows. Software giant Microsoft released a security patch on 14 May 2019.

BlueKeep only affects Windows 7, Windows Server 2008 R2, Windows Server 2008. Windows 8, but this flaw does not have any impact on Windows 10 systems.  Although many investigators designed comprehensive BlueKeep exploits, they avoided making the code publicly available because it was thought to be too unsafe and could play into the hands of cyberthieves and malevolent actors. In July 2019, an American company started selling a BlueKeep exploit to its clients only for the objective of penetration testing, but in September the first proof-of-concept exploit was on hand for anyone. Then, from October onwards, malware producers have begun using this module in well-orchestrated malicious campaigns.

What is the BlueKeep Vulnerability?

This is a wormable threat and can spread through networks to other computers, and grow in the same way WannaCry did when it spread in record time impacting computers across hundreds of countries. Firstly, security investigators who Microsoft has been working with saw the threat’s honeypot crashes triggered by a BlueKeep exploit unit, signifying an attack in the offing. Up until October 9, the situation was fairly hushed, and then similar crashes happened. As per a report from Microsoft’s security research team, the software behemoth discovered that a previous coin mining campaign in September used a key implant that communicated with the same command-and-control infrastructure used during the October BlueKeep Metasploit drive.

Why is BlueKeep important?

Microsoft has cautioned that the BlueKeep susceptibility could cause a “wormable” cybersecurity outburst that could spread from susceptible computer to vulnerable computer in a similar way as the WannaCry malware spread across the world in 2017. In other words, once a threat was announced, it could propagate without any human interface. Microsoft said in this regard that it is taking the rare step of providing a security update for all customers to protect Windows platforms.

The alarm was signaled much louder when the United States’ 30,000-employee National Security Agency took the unusual step of strengthening the warnings. The Microsoft susceptibility could spread without user communication across the internet. The NSA cautioned in an advisory about BlueKeep, which explains that it has overwhelming computer worms that inflict harm on unpatched systems with extensive effect, and are looking to provoke augmented protections against this flaw.

What is RDP and how is it used?

Nearly all users who are interested in developing safe linking between computers in the Internet, are familiar with RDP. Most mediums about safe internet browsing counsel companies to use RDP for communication with remote websites and servers to uphold unidentified internet browsing. At first sight, such advices appear to be too complex for average web users and can be comprehended only by computer network specialists. Nevertheless, even a novice user is able to configure VPN and RDP connection for creating an unidentified access to web resources.

Related Article: ‘Mass Exploiting’ BlueKeep RDP Attacks Spotted in the Wild

First, we need to comprehend the situations when a normal user, who is not acquainted with network administration problems, need to launch a safe connection to remote devices. Factually, VPN was used by large companies for their remote staffs, so they could get a remote access to business servers and work with company’s documents from remote computers. Later, this feature became valuable for normal PC users, probing for approaches of establishing an unidentified and secure access to web resources.

How it works

When you start a remote desktop session, the client computer sends a signal through a standard “listening” port 3389 over the Internet to the host computer asking for consent to connect and log on. The host computer retorts by enquiring for your login credentials, which it confirms against a list of Remote Desktop Users by means of an internal authentication process. Once you log in, show screen and keyboard input transmit from the host to the client computer, letting you see and work with the host computer as if you were sitting right in front of it. One thing to bear in mind is that Remote Desktop lets only one connection. If someone tries to use the host computer, your remote connection will inevitably dismiss.

When it was first discovered and when its patch was released

Microsoft repaired a serious code execution flaw this past May, 2019. Recognized as CVE-2019-0708, this remote code implementation susceptibility can be abused when an unauthenticated attacker attaches to a target system using RDP and then directs particularly created requests. This weakness exists pre-authentication and needs no user interaction. An attacker who positively misuses this weakness could then perform random code on the target system.

The software giant considered this flaw so grave that they even released covers for non-supported operating systems. BlueKeep is likely to become a wormable event, implying that some malware abusing this susceptibility could also spread from one susceptible computer to another without user involvement, similar to the way WannaCry did in 2017. It is now being testified that BlueKeep attacks have begun.

Why BlueKeep is considered as a critical flaw

A remote code execution flaw occurs in Remote Desktop Services when an unconfirmed attacker connects to the target system using RDP and sends particularly created requests. This vulnerability is pre-authentication and needs no user interaction. An attacker who successfully exploited this fault could execute arbitrary code on the target system, and is expected to install programs, view, change, or delete data. To abuse this flaw, a hacker would need to send a particularly created request to the target systems Remote Desktop Service via RDP. BlueKeep impacts RDP services used by millions of machines globally, allowing remote code execution.

How it actually exploits the Windows systems

The RDP procedure exploits “virtual channels”, configured pre-authentication, as a data path between the customer and server for providing extensions. RDP 5.1 defines 32 “static” virtual channels, and “dynamic” virtual channels are contained within one of these static channels. If a server binds the virtual channel “MS_T120” (a channel for which there is no legitimate reason for a client to connect to) with a static channel other than 31, stack corruption happens that allows for random code implementation at the system level.

First BlueKeep attacks trigger fresh warnings

Since its discovery six months ago, the BlueKeep flaw has had the cybersecurity community worried about impending WannaCryptor-style attacks. Earlier in November, Microsoft along with security investigators highlighted on the first malicious drive that was aimed at abusing the critical remote code execution (RCE) fault. The attacks targeted unrepaired susceptible Windows systems to install cryptocurrency mining software, but were a far cry from the harm caused by WannaCryptor aka WannaCry in May 2017.

Traced as CVE-2019-0708, BlueKeep was discovered in a Windows module known as Remote Desktop Services, affecting machines running unrepaired versions of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7 and Windows Server 2008 R2. Regrettably, there is still a great number of systems that haven’t been repaired, although Microsoft revealed the patch on May 14th.

The first examples of the coin mining drive date back to October 23rd. Upon further review by Microsoft investigators, they found that a previous movement that happened in September used a main implant that communicated the same command-and-control (C&C) servers as the October attack. Machines in a number of countries were impacted, including France, Russia, Italy, Spain, Ukraine, Germany, and the UK. The hackers have used a BlueKeep abuse that was issued by the Metasploit team in September.

Related Article: Microsoft Warns BlueKeep Exploit Likely to Deliver More Harmful Payloads

While the attack may appear banal given the media coverage the BlueKeep flaw has received, the worst may still be in store. The flaw is ‘wormable’, implying that future exploits might use it to spread malware within or outside of networks in same ways just as with WannaCryptor.

The seriousness of the state should not be miscalculated, with Microsoft releasing three alerts since May and exhorting its users to cover and update weak machines. Earlier this year, the United States’ National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) have dispensed rare warnings of their own. Lately, the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) has also reverberated the warnings and urged watchfulness.

Preventive measures for BlueKeep

Microsoft exploits their clients on the old systems to apply the covers and take the preventive measures as suggested by the security experts. The NSA also delivered a cyber security advisory on June 4th with the intention of urging users to apply the covers provided by Microsoft to weak PCs. NSA also suggests the following additional measures:

  • Block TCP Port 3389 at your firewalls, particularly any perimeter firewalls exposed to the Internet. This port is used in RDP protocol and will block attempts to found a connection.
  • Cover all susceptible systems instantly – Patch accessible for reinforced and uncorroborated (Windows XP, Server 2003)
  • Incapacitate Remote Desktop Services
  • Block TCP/3389 (and UDP/3389) at border firewalls to stop externally launched exploits
  • Allow Network Level Authentication (NLA) to need authenticated connections to the RDP service. The system will still be susceptible though an attacker must appropriate legal login credentials.

Leave a Reply

Your email address will not be published. Required fields are marked *