Threat actors have started scanning the internet for Windows systems that are vulnerable to the BlueKeep (CVE-2019-0708) vulnerability.
This vulnerability impacts the Remote Desktop Protocol (RDP) service included in older versions of the Windows OS, such as XP, 7, Server 2003, and Server 2008.
Microsoft released fixes for this vulnerability on May 14, as part of the May 2019 Patch Tuesday updates train, and warned users and companies to patch vulnerable systems as soon as possible, classifying the issue as very dangerous, and warning that CVE-2019-0708 could be weaponized to create wormable (self-replicating) exploits.
Many have likened BlueKeep to the EternalBlue exploit that’s been used in 2017 during the WannaCry, NotPetya, and Bad Rabbit ransomware outbreaks.
No proof-of-concept demo code (yet)
For this reason, and because of Microsoft’s doom-and-gloom warning, for the past two weeks, the infosec community has been keeping an eye out for signs of attacks or the publication of any proof-of-concept demo code that could simplify the creation of RDP exploits — and inherently start subsequent attacks.
Until now, no one researcher or security firm has published any such demo exploit code — for obvious reasons, since it could help threat actors start massive attacks.
Nonetheless, several entities have confirmed that they’ve successfully developed exploits for BlueKeep, which they intend to keep private. The list includes Zerodium, McAfee, Kaspersky, Check Point, MalwareTech, and Valthek.
The NCC Group developed detection rules for network security equipment so that companies could detect any exploitation attempts, and 0patch developed a micropatch that can temporarily protect systems until they receive the official update.
Further, RiskSense security researcher Sean Dillon also created a tool that companies can use and test to see if their PC fleets have been correctly patched against the BlueKeep flaw.