Patch now! Why the BlueKeep vulnerability is a big deal

Minimalist · May 22, 2019

Remember the panic that hit organizations around the world on May 12th, 2017 when machine after machine displayed the WannaCryptor ransom screen? Well, we might have a similar incident on our hands in the coming days, weeks or months if companies don’t update or otherwise protect their older Windows systems right away. The reason is BlueKeep, a ‘wormable’ critical Remote Code Execution (RCE) vulnerability in Remote Desktop Services that could soon become the new go-to vector for spreading malware. A patch by Microsoft for supported, as well as some unsupported, operating systems has been available since May 14th.
Click to expand...

https://www.welivesecurity.com/2019/05/22/patch-now-bluekeep-vulnerability/

ronjor · May 23, 2019

Why a Windows flaw patched nine days ago is still spooking the Internet

Dan Goodin - 5/23/2019
Until recently, researchers had to take Microsoft's word the vulnerability was severe. Then five researchers from security firm McAfee reported last Tuesday that they were able to exploit the vulnerability and gain remote code execution without any end-user interaction. The post affirmed that CVE-2019-0708, as the vulnerability is indexed, is every bit as critical as Microsoft said it was.
Click to expand...

guest · May 26, 2019

Intense scanning activity detected for BlueKeep RDP flaw
A threat actor hidden behind Tor nodes is scanning for Windows systems vulnerable to BlueKeep flaw
May 26, 2019
https://www.zdnet.com/article/intense-scanning-activity-detected-for-bluekeep-rdp-flaw/

Until now, no one researcher or security firm has published any such demo exploit code -- for obvious reasons, since it could help threat actors start massive attacks.
BLUEKEEP SCANS STARTED OVER THE WEEKEND
On Saturday, threat intelligence firm GreyNoise started detecting scans for Windows systems vulnerable to BlueKeep
"This activity has been observed from exclusively Tor exit nodes and is likely being executed by a single actor," he said in a tweet on Saturday.

For now, these are only scans, and not actual exploitation attempts.
However, it appears that at least one threat actor is investing quite the time and effort into compiling a list of vulnerable devices, most likely in preparation for the actual attacks.

The Tor-originating scans that GreyNoise is currently seeing -- and which Morris told ZDNetthat are still ongoing at the time of writing -- are a first sign that things are about to get worse. Really worse!
Click to expand...

Minimalist · May 28, 2019

Nearly 1 Million Computers Still Vulnerable to "Wormable" BlueKeep RDP Flaw

Nearly 1 million Windows systems are still unpatched and have been found vulnerable to a recently disclosed critical, wormable, remote code execution vulnerability in the Windows Remote Desktop Protocol (RDP)—two weeks after Microsoft releases the security patch.
Click to expand...

https://thehackernews.com/2019/05/bluekeep-rdp-vulnerability.html

guest · May 31, 2019

Microsoft issues second warning about patching BlueKeep as PoC code goes public
Time's running out on patching older systems against the BlueKeep vulnerability
May 31, 2019
https://www.zdnet.com/article/micro...ut-patching-bluekeep-as-poc-code-goes-public/

MICROSOFT ISSUES SECOND WARNING
Microsoft first warned about this vulnerability on May 14, when it released this month's Patch Tuesday updates train. At the time, it said the flaw was dangerous because it not only allowed remote execution, but the bug was also wormable (having the ability to self-replicate).

"Our recommendation remains the same. We strongly advise that all affected systems should be updated as soon as possible," Pope said.
The Microsoft exec also warns companies about the danger of thinking that workstations not connected to the Internet are safe.
"It is possible that we won't see this vulnerability incorporated into malware. But that's not the way to bet."
Click to expand...

Microsoft: A Reminder to Update Your Systems to Prevent a Worm

guest · Jun 4, 2019

Even the NSA is urging Windows users to patch BlueKeep (CVE-2019-0708)
NSA issues ominous security advisory after Microsoft published two similar warnings last month
June 4, 2019
https://www.zdnet.com/article/even-the-nsa-is-urging-windows-users-to-patch-bluekeep-cve-2019-0708/

After Microsoft warned Windows users on two separate occasions to patch a severe security flaw known as BlueKeep, now, the US National Security Agency has echoed the OS maker's warning in the hopes of avoiding another WannaCry-like incident.
The NSA's alert, authored by the agency's Central Security Service division, is about the security flaw known as BlueKeep (CVE-2019-0708).
NSA ECHOES MICROSOFT'S FEARS
"It is likely only a matter of time before remote exploitation code is widely available for this vulnerability," the NSA said today, echoing the same message from Microsoft's second warning.
"[The] NSA is concerned that malicious cyber actors will use the vulnerability in ransomware and exploit kits containing other known exploits, increasing capabilities against other unpatched systems.
Click to expand...

NSA: NSA Cybersecurity Advisory: Patch Remote Desktop Services on Legacy Versions of Windows

guest · Jun 5, 2019

MetaSploit Module Created for BlueKeep Flaw, Private for Now
June 5, 2019
https://www.bleepingcomputer.com/ne...le-created-for-bluekeep-flaw-private-for-now/

A researcher has created a module for the Metasploit penetration testing framework that exploits the critical BlueKeep vulnerability on vulnerable Windows XP, 7, and Server 2008 machines to achieve remote code execution.
Full control over the system
Developed by reverse engineer Zǝɹosum0x0, the module has not been released publicly because of the danger it poses to a large number of systems that remain unpatched.
The researcher published a video that demonstrates a successful exploitation of a Windows 2008 machine. After using the Mimikatz tool to extract the login credentials for the target system, full control could be achieved.

Zǝɹosum0x0 told BleepingComputer that the same exploit works for both Windows 7 and Server 2008 R2 as the two operating systems "are essentially identical, besides some extra programs on the server."
Although Windows Server 2003 is also vulnerable to BlueKeep, the Metasploit team could not trigger the flaw and exploit it on that operating system.
Click to expand...

hawki · Jun 5, 2019

mood said: ↑

MetaSploit Module Created for BlueKeep Flaw, Private for Now
June 5, 2019
https://www.bleepingcomputer.com/ne...le-created-for-bluekeep-flaw-private-for-now/
Click to expand...

"Warnings of world-wide worm attacks are the real deal, new exploit shows

Latest Metasploit module is being kept private, but time is running out.

For the past three weeks, security professionals have warned with increasing urgency that a recently patched Windows vulnerability has the potential to trigger attacks not seen since the WannaCry worm that paralyzed much of the world in 2017. A demonstration video circulating on the Internet is the latest evidence to prove those warnings are the real deal...

The video shows a module Dillon wrote for the Metasploit exploit framework remotely connecting to a Windows Server 2008 R2 computer that has yet to install a patch Microsoft released in mid May. At about 14 seconds, a Metasploit payload called Meterpreter uses the getuid command to prove that the connection has highly privileged System privileges. In the remaining six seconds, the hacker uses the open source Mimikatz application to obtain the cryptographic hashes of passwords belonging to other computers on the same network the hacked machine is connected to.

It’s these last six seconds that underscore the danger posed by the vulnerability,..."

https://arstechnica.com/information...-shows-the-wormable-danger-is-very-very-real/

guest · Jun 13, 2019

Avast Business report may help explain why users are resisting Microsoft’s BlueKeep patch
June 12, 2019
https://blog.avast.com/avast-report-bluekeep-patch

One of the largest tech companies in the world, the U.S. government, and cybersecurity professionals are all fervently urging computer users to apply an easy patch that could prevent a vulnerability known as BlueKeep from becoming a major cybersecurity incident.
Why won’t users do it? New insights from Avast Business suggest an answer.

Cybersecurity pros may balk at the idea of promoting a badly needed update, but understanding people’s motivations might make a huge difference. Explaining the issue patiently, noting the user’s ability to make a difference, and creating greater awareness and shared responsibility could go a long way.

Read more from the Avast Business report on user behavior that can make stopping major cybersecurity incidents harder in “Update Inertia: The Psychology Behind Patching and Updating Software.”
Click to expand...

Avast Business Report: (PDF - 575 KB): https://press.avast.com/hubfs/media-materials/kits/Avast%20Business%20Patch%20Management/Patch%20Inertia%20Report-SMBs.pdf?hsLang=en

guest · Jun 13, 2019

Organizations urged to patch for BlueKeep as latest malware charts are revealed
June 13, 2019
https://betanews.com/2019/06/13/patch-bluekeep-malware-charts/

Check Point Research, has released its Global Threat Index for May 2019 and is warning organizations to check and patch for the BlueKeep Microsoft RDP flaw in Windows 7 and Windows Server 2008 machines, to prevent the risk of it being exploited for ransomware and cryptomining attacks.

"The biggest threat we've seen over the past month is BlueKeep. Even though no attacks have yet been seen exploiting it, several public proof-of-concept exploits have been developed," says Maya Horowitz, threat intelligence and research director at Check Point.
"We agree with Microsoft and other cybersecurity industry observers that BlueKeep could be used to launch cyberattacks on the scale of 2017's massive WannaCry and NotPetya campaigns. One single computer with this flaw can be used to deliver a malicious payload that infects an entire network [...]"
Click to expand...

Check Point: May 2019’s Most Wanted Malware: Patch Now to Avoid the BlueKeep Blues

Minimalist · Jun 17, 2019

There's a lot more to patching security vulnerabilities than you might think

Just because a technology company published a security update doesn’t mean the flaw it’s trying to fix is completely resolved.

A security patch release is often the beginning of what could be a months-long process for companies of all sizes that need to weigh better security with possible unintended consequences, like knocking different areas of their business offline or interrupting client connections.
Click to expand...

https://www.cyberscoop.com/patching-vulnerability-plan-microsoft-equifax-linkedin/

guest · Jul 2, 2019

BlueKeep PoC demonstrates risk of Remote Desktop exploit
July 1, 2019
https://news.sophos.com/en-us/2019/07/01/bluekeep-poc-demonstrates-risk-of-remote-desktop-exploit/

In light of several reports showing that the number of unpatched RDP servers on the internet is still very high, despite warnings by experts and government agencies, we recorded a video that shows a proof-of-concept BlueKeep attack using an exploit developed by SophosLabs’ Offensive Research team.

The exploit works in a completely fileless fashion, providing full control of a remote system without having to deploy any malware. It also doesn’t require an active session on the target.
The development of this exploit came about as the result of an arduous process of reverse-engineering the patch released by Microsoft in May to examine what it was trying to fix.

Sophos will not be releasing the PoC to the public out of an abundance of caution.
Click to expand...

Not just dangerous, but wormable-dangerous
All the proof-of-concept does, in the video, is allow someone in an interactive session over RDP to launch a command shell with SYSTEM privileges. That’s pretty bad, but the tool leveraged by this team to launch the exploit, the rdpy framework, allows anyone to instrument any RDP interaction, such as clicking buttons or sending synthetic keypresses.

With very little effort, a malicious threat actor could fully automate the whole attack chain, including synthetically “typing” commands into the shell, or simply passing commands to the shell.
Click to expand...

Krusty · Jul 7, 2019

While Australians were sleeping, someone on the other side of the world opened an email attachment. That was all it took.

Within hours, the virus unleashed by that unwitting person had leapt from one computer network to another, crossing continents to infect more than 230,000 computers in at least 100 countries.

The virus was indiscriminate, hitting everything from French car manufacturers and German railways to Russian banks, from ATMs in India and hospitals in the UK to a mall in Singapore, causing billions of dollars of damage globally.

That was 2017. If we are not careful, it could also be 2019 — only this time instead of 230,000 infections, it might be as many as a million.

A software vulnerability discovered in Microsoft Windows could be used to execute a global ransomware attack similar to the devastating WannaCry attack of two years ago.

Microsoft has already issued a patch for the bug, but many systems are still believed to be at risk.
Click to expand...

https://www.abc.net.au/news/2019-07...ity-bluekeep-and-cyber-security-risk/11277270

BlueKeep is a ticking time-bomb, but the good news is there's still time to defuse it. If you are running an older Windows system — Windows 2000, Vista, XP, Windows 2003, Windows 2008, or Windows 7 — you can go here to install the patches and keep your system safe.

It's not just about home computers, either. If you run a business, or if you think your work might be using an older Windows system, make sure that gets patched too.

WannaCry was a disruptive, painful and very expensive reminder of why cybersecurity matters, and how just a few missed computer updates can end in catastrophe.

With BlueKeep looming on the horizon, it's time to prove we learned our lesson — and avoid letting history repeat itself.
Click to expand...

Minimalist · Jul 9, 2019

From exploits to honeypots: How the security community is preparing for BlueKeep’s moment of truth

Security experts are hoping to avoid a repeat of WannaCry’s wreckage, but they worry that Microsoft’s warning in May about BlueKeep, along with advisories from U.S. security officials, might not have mobilized enough attention to the issue. Rather than wait around for an exploit to emerge, they are developing their own “proofs of concept” (PoC) to raise awareness and help organizations defend themselves.
Click to expand...

https://www.cyberscoop.com/bluekeep-removal-remote-desktop-wannacry-notpetya/

Minimalist · Jul 17, 2019

More than 805,000 systems are still exposed to BlueKeep, study finds

Since May, security researchers have been sounding the alarm about the “BlueKeep” vulnerability in old Microsoft Windows operating systems. There has been a large movement to get users to patch for the flaw, which could be exploited at scale. Data released Wednesday by cybersecurity company BitSight Technologies shows a mixed report card on how well organizations have closed that security hole.
Click to expand...

https://www.cyberscoop.com/bluekeep-patching-study-bitsight/

Minimalist · Jul 17, 2019

Why Microsoft’s BlueKeep Bug Hasn’t Wreaked Havoc—Yet

But fully two months later, the dreaded BlueKeep doomsday has yet to materialize. In fact, its apparent absence has made clear that in an age of hardened operating systems with built-in protections against easy exploitation, the mere existence of a known flaw in software no longer means an immediate open season for hackers. State-sponsored groups may already be using it for quiet intrusions, but low-skilled criminals have yet to use it for wide-scale calamity. But that doesn't mean that a larger wave of BlueKeep exploitation isn't in store if—or when—the secret details of exploiting the Windows vulnerability leak out to a wider audience.
Click to expand...

https://www.wired.com/story/bluekeep-worm-windows/

Minimalist · Jul 23, 2019

Chances of destructive BlueKeep exploit rise with new explainer posted online

A security researcher has published a detailed guide that shows how to execute malicious code on Windows computers still vulnerable to the critical BlueKeep vulnerability. The move significantly lowers the bar for writing exploits that wreak the kinds of destructive attacks not seen since the WannaCry and NotPetya attacks of 2017, researchers said.
Click to expand...

https://arstechnica.com/information...ting-wormable-bluekeep-flaw-posted-on-github/

Minimalist · Jul 25, 2019

BlueKeep Scanner Discovered in Watchbog Cryptomining Malware

A new Watchbog malware variant can scan for Windows computers vulnerable to BlueKeep exploits, with previous variants only being utilized to infect Linux servers compromised using Jira, Exim, Nexus Repository Manager 3, ThinkPHP, and Solr Linux exploits.

"Among the new Linux exploits, this version of WatchBog implements a BlueKeep RDP protocol vulnerability scanner module, which suggests that WatchBog is preparing a list of vulnerable systems to target in the future or to sell to third party vendors for profit," Intezer Labs says.
Click to expand...

https://www.bleepingcomputer.com/ne...-discovered-in-watchbog-cryptomining-malware/

JRViejo · Jul 25, 2019

An exploit for a vulnerability that Microsoft feared it may trigger the next WannaCry is now being sold commercially.
Click to expand...

US company selling weaponized BlueKeep exploit by Catalin Cimpanu.

guest · Jul 26, 2019

And people believe they are safe by using outdated OS...noobs...

guest · Jul 29, 2019

Fearing WannaCry-Level Danger, Enterprises Wrestle with BlueKeep
Fears of a WannaCry-level global attack grow as working exploit info starts to go public
July 29, 2019
https://threatpost.com/fearing-wannacry-level-danger-enterprises-wrestle-with-bluekeep/146727/

The nightmare vision of a “mega-worm” global BlueKeep infection could be closer to becoming reality as working exploits are now becoming available to the public, and there’s evidence that adversaries are actively scanning for the vulnerability.

Researchers weighed in with Threatpost about how enterprises can thwart the critical Windows remote code-execution (RCE) vulnerability, even if immediate patching is too large an ask.
Exploits Make an Appearance
The main thing that sets BlueKeep apart is the fact that it’s wormable – and so it can self-propagate from machine to machine, setting up the scene for a WannaCry-level, fast-moving infection wave.
Security researchers have said that creating an exploit has been difficult, [...] That changed last week when an exploit went up for sale
The firm Intezer at the same time has found that the bad guys are starting to actively scan for the vulnerability.

Overall, the tipping point on BlueKeep campaigns starting to appear in the wild appears to be approaching sooner rather than later, according to BitSight director of security research Dan Dahlberg.
Click to expand...

guest · Jul 29, 2019

Wait for the show, let see the damages, I will get a good laugh at those who got compromised.

imdb · Jul 29, 2019

guest said: ↑

Wait for the show, let see the damages, I will get a good laugh at those who got compromised.
Click to expand...

bad news, bruh. this time it's not jennifer lawrence that got busted.

ronjor · Aug 8, 2019

Protect against BlueKeep
Detection and Response Team (DART) August 8, 2019
This summer, the DART team has been preparing for CVE-2019-0708, colloquially known as BlueKeep, and has some advice on how you can protect your network. The BlueKeep vulnerability is “wormable,” meaning it creates the risk of a large-scale outbreak due to its ability to replicate and propagate, similar to Conficker and WannaCry. Conficker has been widely estimated to have impacted 10- to 12-million computer systems worldwide. WannaCry was responsible for approximately $300 million in damages at just one global enterprise.
Click to expand...

https://www.microsoft.com/security/blog/2019/08/08/protect-against-bluekeep/

guest · Aug 10, 2019

BlueKeep Patching Still Spotty Months After Alerts: Report
Financial Services Companies Fared Better Than Most, SecurityScorecard Finds
August 9, 2019
https://www.bankinfosecurity.com/bluekeep-patching-still-spotty-months-after-alerts-report-a-12899

More than two months after Microsoft issued the first warnings about the BlueKeep vulnerability, many enterprises have a spotty record when it comes to patching for this particularly worrisome flaw, new research from SecurityScorecard finds.
In the report, released Friday during the Black Hat security conference in Las Vegas, SecurityScorecard researchers say that the financial services industry has fared better than other sectors when it comes to patching for BlueKeep, but many devices remain vulnerable.

Of the 800,000 vulnerable Windows devices that researchers found around the world, SecurityScorecard calculated that organizations were only patching about 1 percent - about 8,000 - of these systems each day.
In July, Bitsight drew similar conclusions, noting in another report that security teams have been slow to patch this vulnerability despite warnings from Microsoft and government agencies (see: Despite BlueKeep Warnings, Many Organizations Fail to Patch).
Click to expand...

Log in or Sign up

Patch now! Why the BlueKeep vulnerability is a big deal

Minimalist Registered Member

ronjor Global Moderator

guest Guest

Minimalist Registered Member

guest Guest

guest Guest

guest Guest

hawki Registered Member

guest Guest

guest Guest

Minimalist Registered Member

guest Guest

Krusty Registered Member

Minimalist Registered Member

Minimalist Registered Member

Minimalist Registered Member

Minimalist Registered Member

Minimalist Registered Member

JRViejo Super Moderator

guest Guest

guest Guest

guest Guest

imdb Registered Member

ronjor Global Moderator

guest Guest

Log in or Sign up

Patch now! Why the BlueKeep vulnerability is a big deal

Minimalist Registered Member

ronjor Global Moderator

guest Guest

Minimalist Registered Member

guest Guest

guest Guest

guest Guest

hawki Registered Member

guest Guest

guest Guest

Minimalist Registered Member

guest Guest

Krusty Registered Member

Minimalist Registered Member

Minimalist Registered Member

Minimalist Registered Member

Minimalist Registered Member

Minimalist Registered Member

JRViejo Super Moderator

guest Guest

guest Guest

guest Guest

imdb Registered Member

ronjor Global Moderator

guest Guest

Useful Searches