BlueKeep: Researchers show how dangerous this Windows exploit could really be

Researchers develop a proof-of-concept attack after reverse engineering the Microsoft BlueKeep patch.
Written by Danny Palmer, Senior Writer

Microsoft Windows users who are yet to patch a severe vulnerability, for which security updates were released almost two months ago, are putting themselves at risk from hackers.

The CVE-2019-0708 vulnerability – known as BlueKeep – was first reported in May, and allows attackers to connected to Remote Desktop Protocol services (RDP) and issue commands which could steal or modify data, install malware and conduct other malicious activities.

The vulnerability is considered dangerous enough that Microsoft has repeatedly told users to apply the patches and even the USA's National Security Agency (NSA) issued a public warning to patch against BlueKeep.

The vulnerability has similar worm-like spreading functions to EternalBlue, the leaked NSA hacking tool which powered the global WannaCry ransomware outbreak in 2017.

It affects computers running Windows XP, Windows 7, Windows Server 2003, and Windows Server 2008 and the risk is considered so great that Microsoft issued a patch for Windows operating systems which are now considered unsupported.

There's currently no sign of BlueKeep having been exploited in the wild, but security researchers at Sophos have reversed the Microsoft patch and developed a Proof-of-Concept showing how attackers could deploy an attack against RDP systems without any input from the victim required.

If an attacker managed to do the same, they could use BlueKeep to issue destructive commands on what's thought to be millions of Windows systems which are still vulnerable to the exploit.

Using a Windows 7 virtual machine, researchers used the accessibility features on the Windows to deploy BlueKeep to alter Windows accessibility menu to bypass security and gain access to the desktop.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)   

Security experts worry the exploit could be used for anything from installing trojan malware for stealthy attacks, to deploying ransomware on compromised systems, or even just wiping entire networks. The vulnerability would be especially useful to attackers who only care about infecting as many machines as possible with no preference as to who the victims are.

"An attack like this falls into the category of "spray and pray" – the attackers are not choosy about who they target, and some percentage of machines will be vulnerable," said Andrew Brandt, principal researcher at Sophos.

Researchers won't release their proof of concept because they say doing so would be too much of a risk – but they have published a technical support bulletin with recommended actions.

The most critical advice is that users patch their systems to ensure that they're protected from attacks using Bluekeep, but researchers also recommended disconnecting RDP where it isn't necessary, requiring users to use a VPN to connect to an internal RDP server and to apply additional controls like multifactor authentication to machines hosting RDP services.


Editorial standards