Newly named malware keep entering the public conversation and making headlines with names like Robinhood, Bad Rabbit, or WannaCry. (We must appreciate the hacker’s creative talent when they name such things).
In the last couple of months, a new name has emerged, which has the potential to rival the impact of WannaCry. This is BlueKeep (CVE-2019-0708), a software vulnerability that was discovered in Microsoft’s Remote Desktop Protocol (RDP) allowing for the possibility of remote code execution. again affects older versions of Microsoft Windows, specifically Windows 7, Windows XP and Server 2003 and 2008 and 2008 R2.
Despite the awareness now being a few months old, Microsoft has warned that nearly one million computers connected to the internet are still currently vulnerable to BlueKeep, with many more within corporate networks also likely at risk.
(Image from thehackernews.com)
Proof of Concept on GitHub
The NSA said there had been no signs of the BlueKeep virus in the wild, but it was likely only a matter of time until cyber criminals take advantage of it. This is especially true as there are already PoCs emerging on GitHub and elsewhere, with the ability to add malicious payloads.
The BlueKeep threat was first brought to light by the UK’s National Cyber Security Centre in May and Microsoft has issued a fix and advised to patch immediately because the vulnerability is ‘wormable’ and to prevent a situation such as with WannaCry and others. The US National Security Agency also joined in issuing a rare advisory urging immediate update of all legacy systems.
Underlining the importance of the CVE is the fact that Microsoft backported the fix to Windows XP and Windows Server 2003.
CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0708
NSA advisory: https://www.nsa.gov/Portals/70/documents/what-we-do/cybersecurity/professional-resources/csa-bluekeep_20190604.pdf
Microsoft guidance:
https://support.microsoft.com/en-gb/help/4500705/customer-guidance-for-cve-2019-0708
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708