BlueKeep: What you Need to Know | Tripwire

BlueKeep: What you Need to Know

Posted on November 11, 2019
BlueKeep: What you Need to Know

What is BlueKeep?

BlueKeep is the name that has been given to a security vulnerability that was discovered earlier this year in some versions of Microsoft Windows' implementation of the Remote Desktop Protocol (RDP). The vulnerability was described as "wormable" by Microsoft, and users were warned that BlueKeep might be exploited in a similar fashion to how the WannaCry ransomware used the Eternal Blue vulnerability to spread widely in 2017. Warnings about the BlueKeep vulnerability have been issued by the UK's National Cyber Security Centre (NCSC) and United States's National Security Agency (NSA), as well as equivalent agencies in Germany and Australia, as well as Microsoft itself. Microsoft considered the threat posed by BlueKeep to be so serious that the software giant took the unusual step of releasing patches for no-longer supported versions of Windows such as Windows Server 2003, Windows Vista, and Windows XP.

Sounds serious. Which other operating systems are vulnerable?

The RDP functionality on Windows 7 and Windows Server 2008 (both reaching the end of their support life-cycle) is also vulnerable, and should be patched as a matter of urgency.

But didn't this all happen a while ago?

Yes, the patches from Microsoft came out in May, and although some IT teams acted fast to secure their critical Windows systems, hundreds of thousands of other internet-connected computers remain unpatched to this day.

So what have bad guys been doing with the BlueKeep vulnerability?

For some months it seemed not much was happening. But recently an attack was seen in the wild which attempted to install cryptomining software onto RDP servers that had not been patched, and had exposed port 3389 to the internet.

You said "attempted"...

Yes, the attack - first spotted by security researcher Kevin Beaumont - caused systems to crash with the infamous "blue screen of death." According to a ZDNet report, the reason why the attack failed was because of an incompatibility between the exploit code and a patch Microsoft had previously issued for the Intel CPU vulnerability known as Meltdown.

So, having vulnerable computers crash is bad but better than having them compromised by malicious code, right?

Right. If a computer crashes it might alert you that something's wrong, and is certainly better than an attacker silently installing unauthorised code. But it is widely expected that a revised version of the BlueKeep exploitation code will be issued this week which will NOT caused Meltdown-patched computers to crash.

So what should we do?

  • Patch your vulnerable computers now, with the fixes Microsoft issued earlier this year.
  • Block port 3389 used by the RDP protocol at your firewalls, especially if they are exposed to the internet.
  • Disable remote desktop services if they are not required.
  • Enable Network Level Authentication (NLA) to control who connects to your systems, and protect your network from unauthorised users and software.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
Join over 20,000 IT security pros who get our top stories delivered to their inbox every week!