Article

ADVISORY: OBSERVED MALICIOUS ACTIVITY USING CVE-2019-0708 (BLUEKEEP)

November 5 2019
10 mins read

F-Secure is aware of reports, both public and private, relating to a new malware strain which is a weaponized implementation of the CVE-2019-0708 vulnerability – commonly known as BlueKeep. The existence of malware exploiting the BlueKeep vulnerability raises the risk of exploitation across all organizations, irrespective of their normal threat profile.

The malware, implemented as a ‘worm’, would result in malicious access and exploitation of systems. While the vulnerability has thus far proven unstable, this fact may lead to denial of service for such systems through a fatal system error resulting in a "blue screen of death" (BSOD). Based on reported activity, some compromised systems show artefacts similar to those found when the MetaSploit exploit framework module is used.[1] Additionally, crypto-miners and ransomware malware has also been reported as secondary infections.[2]

If unmanaged, the abuse of the exploit could have consequences not dissimilar to the WannaCry malware attack in 2017, which cost the NHS alone £92m. The comparison is not without merit; the last time Microsoft issued a security update for out-of-support operating systems was during the period WannaCry infections were at their peak.

BlueKeep exploits utilize Remote Desktop Services (RDS), and can affect Microsoft Windows Vista, Windows 7, Windows XP, Server 2003, and Server 2008 operating systems. Microsoft released a patch in May, but it is not known how many users are still vulnerable (unpatched) or may have been compromised. This is of particular concern for systems where Windows Embedded is deployed, as many of these more esoteric systems are less frequently updated and therefore more at risk.  

This advisory is designed to help readers make an informed decision about the next steps to take.

Technical details

At the time of writing, exploits have only been released publicly for the 64-bit versions of Windows 7 and Windows Server 2008 R2. However, reliable exploits for other vulnerable versions of Windows, such as Windows XP, Server 2003, Vista, and Server 2008 could be in use by malicious threat actors.

The exploit can execute – unauthenticated – against systems and be made 'wormable' due to Remote Desktop Services, allowing data channels to be established before authentication. In practice, this enables it to infect other vulnerable systems automatically.

One workaround is to implement Network Level Authentication (NLA). This would limit the exploit’s reach to systems of which an attacker has valid credentials.[3] In the case of an attacker having valid credentials, patching the vulnerable systems, and/or blocking access to the RDP port (TCP 3389), would be the only other mitigations available for implementation to protect against the attacks.

Recommended next steps

1) How to assess whether your systems are vulnerable:

  • Confirm if the Microsoft hotfix for CVE-2019-0708 has been installed on systems. The relevant Knowledge Base article numbers can be found on Microsoft's security vulnerability pages for affected systems.[4][5]
  • Up-to-date reports of both external and internal vulnerability scans would give the broadest overview of vulnerable systems, and can highlight systems to which priority should be given.

2) How to determine if you have been compromised:

This is more difficult to answer, in that signs of compromise can vary depending on the goal of the attacker. An up-to-date anti-virus solution will catch any known malicious payloads deployed onto the target systems, such as crypto-miners and ransomware strains. However, any binaries with unknown signatures will likely stay under the radar and avoid detection for an indeterminate amount of time.

Endpoint Detection and Response (EDR) solutions may be able to detect child process creation related to the execution of the exploit's payload, as can be seen in Kevin Beaumont's article[1] detailing his findings. The telemetry used to determine the cause of the system instability was related to a remote thread injection into Windows' 'spoolsv.exe' process, which is the default process used in the Metasploit implementation. EDR solutions should also be able to detect malicious code injected into processes, increasing the probability of detecting a compromise.

In addition to the above, watching for occurrences of unexpected PowerShell executions and the generation of logs relating to persistence mechanisms – such as scheduled task creation, or new services being created – may be indicators of compromise.

It is important to note that the indicators of compromise will change based on the goal of the attacker. Most known attacks executed up to this point appear to have been used for the deployment of crypto-miners or ransomware. However, threat actors whose goals include accessing the internal workings of networks will avoid utilizing methods likely to generate common alerts. As a result, systems compromised by these groups will remain undetected unless signs of compromise are actively being sought.

If you think you may have been compromised, email us at cir@f-secure.com, using this PGP Public Key.

Further reading

[1] https://doublepulsar.com/bluekeep-exploitation-activity-seen-in-the-wild-bd6ee6e599a6

[2] https://www.kryptoslogic.com/blog/2019/11/bluekeep-cve-2019-0708-exploitation-spotted-in-the-wild/

[3] https://www.microsoft.com/security/blog/2019/08/08/protect-against-bluekeep/

[4] https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708

[5] https://support.microsoft.com/en-za/help/4500705/customer-guidance-for-cve-2019-0708

Sign up for the latest insights

Accreditations & Certificates

F-Secure Consulting (F-Secure Cyber Security (Pty) Ltd) is a level 4 contributor to B-BBEE with a procurement recognition level of 100%. Learn more and download our B-BBEE certificate. Click here to read the press release.

Follow us
@fsecure_consult F-Secure-Consulting f-secure-foundry fsecurelabs