ESET experts presented a free utility for detecting BlueKeep critical vulnerabilities in Windows systems (CVE-2019-0708).
Solution is designed for 32- and 64-bit versions of Windows XP, Windows Vista, Windows Server 2003, Windows Server 2003 R2, Windows Server 2008 и Windows Server 2008 R2 before and after application of patches from Microsoft.While the BlueKeep vulnerability has not, to date, caused widespread havoc, the fact remains that many systems are still not patched, and a thoroughly wormable version of the exploit might still be found. Because of these factors, ESET has created a free utility to check if a system is vulnerable, — writes Aryeh Goretsky, ESET distinguished researcher.
Recall that the critical vulnerability CVE-2019-0708 (aka BlueKeep) is associated with the operation of Remote Desktop Services (RDS) and RDP, and was fixed by Microsoft in May of this year. With this bug, attackers can execute arbitrary code without authorization and spread their malware like a worm. The issue is dangerous for Windows Server 2008, Windows 7, Windows 2003, and Windows XP, for which, due to the severity of the problem have been released security updates.
Unfortunately, according to BinaryEdge, there are still more than 700,000 vulnerable Windows systems on the network (not counting those located inside private networks, behind firewalls), so many users still did not install any patches. Even worse, in November it became known that cybercriminals began to exploit BlueKeep.
So far, the bug has been used only to spread the cryptocurrency miner, which means that the criminals do not use the full potential of the vulnerability. In fact, it allows creating self-promoting malware, which in theory can lead to an epidemic, as was the case with WannaCry and NotPetya. However, Microsoft experts warned that in future, they are expecting more destructive attacks using BlueKeep, and it’s too early to resolve.
ESET researchers write that over the past two years they have observed an increase in the number of incidents, which had a remote connection to a Windows server via the Internet using RDP. Most often, criminals used the obtained access to install miners on users’ computers and distribute ransomware.
For example, IS experts discovered BlueKeep-vulnerabilities scanner in Watchbog cryptominer and earlier we was discussed how users can avoid this unwelcomed and detrimental guest.
The ESET utility work is very simple: after starting, it will let the user know if the system is vulnerable to BlueKeep and if the patch is installed. In case of a system vulnerability, the tool will move the user to the appropriate web page to download the patch from the Microsoft website.
Additional recommendations for securing RDP by ESET
- Disallow external connections to local machines on port 3389 (TCP/UDP) at the perimeter firewall.
- Test and deploy patches for the CVE-2019-0708 (BlueKeep) vulnerability and enable Network Level Authentication as quickly as possible.
- For all accounts that can be logged into via RDP require complex passwords (a long passphrase containing 15+ characters with no phrases related to the business, product names, or users is mandatory).
- Install two-factor authentication (2FA) and at a minimum require it on all accounts that can be logged into via RDP.
- Install a virtual private network (VPN) gateway to broker all RDP connections from outside your local network.
- Password-protect endpoint security software using a strong password unrelated to administrative and service accounts.
- Enable exploitation blocking in endpoint security software.
- Isolate any insecure computer that needs to be accessed from the internet using RDP.
- Replace insecure computers.
- Consider instituting geoIP blocking at VPN gateway.