Patch now! Why the BlueKeep vulnerability is a big deal

guest · Aug 10, 2019

Lax admin, they deserve to be ransomwared then fired.

guest · Aug 12, 2019

ASD releases warning of BlueKeep vulnerability
August 12, 2019
https://www.zdnet.com/article/asd-releases-warning-of-bluekeep-vulnerability/

The Australian Signals Directorate's (ASD) Australian Cyber Security Centre (ACSC) released a warning late Monday urging Australian businesses using older Windows systems to install a patch to avoid potential exploitation of BlueKeep vulnerability, known as CVE-2019-0708.

"A security researcher under the Twitter handle @zerosum0x0 has recently disclosed his Remote Desktop Protocol (RDP) exploit for the BlueKeep vulnerability to Metasploit," ACSC said in the alert.
Head of ACSC Rachel Noble believes that up to 50,000 devices could be affected in Australia, including some owned by the government and critical infrastructure operators.

"Patching may require you to restart your computers but this is a small price to pay when the risk of a compromise occurring could harm your business and its customers."
Click to expand...

UPDATE: ACSC confirms potential exploitation of BlueKeep vulnerability

Minimalist · Aug 13, 2019

Microsoft Warns Of New Wormable Windows Remote Desktop Flaws

Microsoft released patches for two new critical remote code execution (RCE) vulnerabilities found in the Remote Desktop Services (RDS) and affecting all in-support versions of Windows.

Users are urged to patch by the Microsoft Security Response Center (MSRC) to patch the newly found Windows security flaws as soon as possible due to the elevated risks associated with wormable vulnerabilities.
Click to expand...

https://www.bleepingcomputer.com/ne...of-new-wormable-windows-remote-desktop-flaws/

guest · Aug 29, 2019

Exploitation of Windows CVE-2019-0708 (BlueKeep): Three Ways to Write Data into the Kernel with RDP PDU
August 29, 2019
https://unit42.paloaltonetworks.com...s-to-write-data-into-the-kernel-with-rdp-pdu/

In May 2019, Microsoft released an out-of-band patch update for remote code execution vulnerability CVE-2019-0708, which is also known as as “BlueKeep” and resides in code to Remote Desktop Services (RDS). This vulnerability is pre-authentication and requires no user interaction, making it particularly dangerous as it has the unsettling potential to be weaponized into a destructive exploit.

With potential global catastrophic ramifications, Palo Alto Networks Unit 42 researchers felt it was important to analyze this vulnerability to understand the inner workings of RDS and how it could be exploited. Our research dives deep into the RDP internals and how they can be leveraged to gain code execution on an unpatched host. This blog discusses how Bitmap Cache protocol data unit (PDU), Refresh Rect PDU, and RDPDR Client Name Request PDU can be used to write data into kernel memory.
The findings of our research highlight the risks if vulnerable systems are left unpatched.
Click to expand...

guest · Sep 6, 2019

Exploit for wormable Bluekeep Windows bug released into the wild
The Metasploit module isn't as polished as the EternalBlue exploit. Still, it's powerful
September 6, 2019
https://arstechnica.com/information...-bluekeep-windows-bug-released-into-the-wild/

For months, security practitioners have worried about the public release of attack code exploiting Bluekeep, the critical vulnerability in older versions of Microsoft Windows that’s “wormable,” meaning it can spread from computer to computer with no user interaction. On Friday, that dreaded day arrived when the Metasploit framework—an open source tool used by white hat and black hat hackers alike—released just such an exploit into the wild.

The module, which was published as a work in progress on Github, doesn’t yet have the polish and reliability of the EternalBlue exploit that was developed by, and later stolen from, the NSA. For instance, if the people using the new module specify the wrong version of Windows they want to attack, they’ll likely wind up with a blue-screen crash.
A big deal
“The release of this exploit is a big deal because it will put a reliable exploit in the hands of both security professionals and malicious actors,” Ryan Hanson, a developer who helped work on the release, told Ars. “I'm hoping the exploit will be primarily used by offensive teams to demonstrate the importance of security patches, but we will likely see criminal groups modifying it to deliver ransomware as well.”
"As an open-source project, one of Metasploit’s guiding principles is that knowledge is most powerful when shared,” Metasploit’s Brent Cook wrote in a post published on Friday.
Click to expand...

Rapid7: Initial Metasploit Exploit Module for BlueKeep (CVE-2019-0708)

guest · Nov 3, 2019

The First BlueKeep Mass Hacking Is Finally Here—but Don't Panic
...the first successful attack using Microsoft's BlueKeep vulnerability has arrived
November 2, 2019
https://www.wired.com/story/bluekeep-hacking-cryptocurrency-mining/

Security researchers have spotted evidence that their so-called honeypots—bait machines designed to help detect and analyze malware outbreaks—are being compromised en masse using the BlueKeep vulnerability.

But so far, the widespread BlueKeep hacking merely installs a cryptocurrency miner, leeching a victim's processing power to generate cryptocurrency. And rather than a worm that jumps unassisted from one computer to the next, these attackers appear to have scanned the internet for vulnerable machines to exploit. That makes this current wave unlikely to result in an epidemic.

"BlueKeep has been out there for a while now. But this is the first instance where I’ve seen it being used on a mass scale," says Marcus Hutchins, a malware researcher for security firm Kryptos Logic who was one of the first to build a working proof-of-concept for the BlueKeep vulnerability. "They’re not seeking targets. They’re scanning the internet and spraying exploits."
In fact, Williams argues, the absence of a more severe wave of BlueKeep hacking so far may actually indicate a success story for Microsoft's response to its BlueKeep bug—an unexpected happy ending.
Click to expand...

guest · Nov 8, 2019

The Anatomy of RDP Exploits: Lessons Learned from BlueKeep and DejaBlue
November 7, 2019
https://blog.rapid7.com/2019/11/07/...s-lessons-learned-from-bluekeep-and-dejablue/

A critical vulnerability called “BlueKeep” put Remote Desktop Protocol (RDP) security on everyone’s radar earlier this year. Just a few months later, Microsoft announced a related vulnerability, DejaBlue. RDP exploits are no joke—Rapid7’s Project Sonar estimates that around 900,000 workstations and servers running RDP around the world are vulnerable.
Lessons learned from BlueKeep and DejaBlue
The first takeaway from these recent RDP vulnerabilities is to upgrade and update your systems. Vulnerabilities, including BlueKeep, often target older systems.

Another lesson to keep in mind is that the risk of a vulnerability can change over time. When BlueKeep was first announced, it was purely theoretical.
However, once it was discovered, it became a race for hackers to figure out how to use BlueKeep before potential victims patched their systems. In other words, the risk level rose as time went on.

The final lesson that Randy suggested we learn from BlueKeep is that multi-factor authentication (MFA) is not a silver bullet. In fact, no security technology is. In the case of BlueKeep, the malicious code is injected before MFA even takes place.
Click to expand...

guest · Nov 8, 2019

Microsoft: BlueKeep Exploit Will Likely Deliver More Damaging Payloads
November 8, 2019
https://www.securityweek.com/microsoft-bluekeep-exploit-will-likely-deliver-more-damaging-payloads

While there is no evidence that BlueKeep has been exploited to distribute ransomware or other types of malware, Microsoft believes it’s only a matter of time before it happens.

The assaults, first detailed several days ago, were attempting to deliver cryptocurrency mining malware by exploiting a vulnerability in the Windows Remote Desktop Services (RDS) tracked as CVE-2019-0708, but better known as BlueKeep.
According to Microsoft, the attacks likely started as port scans for machines with vulnerable internet-facing RDP services, but ended up leveraging the BlueKeep Metasploit module to run PowerShell scripts and deliver miners onto the compromised systems.

“The new exploit attacks show that BlueKeep will be a threat as long as systems remain unpatched, credential hygiene is not achieved, and overall security posture is not kept in check. Customers are encouraged to identify and update vulnerable systems immediately,” Microsoft notes.
Click to expand...

Microsoft: Microsoft works with researchers to detect and protect against new RDP exploits

guest · Nov 11, 2019

BlueKeep exploit to get a fix for its BSOD problem
Microsoft's Meltdown patch was causing BlueKeep attacks to crash on some systems
November 11, 2019
https://www.zdnet.com/article/bluekeep-exploit-to-get-a-fix-for-its-bsod-problem/

Currently, the only public proof-of-concept exploit code for the infamous BlueKeep vulnerability is a module for the Metasploit penetration testing framework.

While the exploit works, it has a downside, namely that on some systems it can crash the target with a Blue Screen of Death (BSOD) error, instead of granting the attackers a remote shell.
However, this week, the BlueKeep Metasploit module will get a fix for this bug. The fix removes the BSOD error and makes BlueKeep attacks more reliable.
BLUEKEEP WAS CRASHING BECAUSE OF THE MELTDOWN PATCH
In an interview with ZDNet over the weekend, Dillon said the root cause of the BSOD errors was Microsoft's patch for the Meltdown Intel CPU vulnerability.

"From looking at screenshots of the analysis Marcus 'MalwareTech' Hutchins did, we know code execution was achieved and that the honeypots were crashing because the exploit did not support kernels with Meltdown," Dillon told ZDNet.
Click to expand...

Log in or Sign up

Patch now! Why the BlueKeep vulnerability is a big deal

guest Guest

guest Guest

Minimalist Registered Member

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

Log in or Sign up

Patch now! Why the BlueKeep vulnerability is a big deal

guest Guest

guest Guest

Minimalist Registered Member

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

Useful Searches