Monday 7th December 2020
12 Vulnerabilities of Christmas- CVE-2019-0708 A.K.A BlueKeep
The Twelve Days of Christmas commemorates a series of increasingly extravagant gifts given during the festive period. To mark the advent of Christmas and the end of a turbulent year, our analysts have looked at some of the biggest gifts to cyber threat actors in 2020, in terms of the vulnerabilities (also known as CVEs, which stands for Common Vulnerabilities and Exposures), that they have been able to exploit. Instead of gold rings, maids-a-milking and turtle doves, we look at remote code execution, privilege escalation and lateral movement.
We have selected each of our Twelve vulns of Christmas on the basis of their Orpheus Vulnerability Score (OVS), so many of these have scores of or close to the maximum of 100. An OVS provides additional context on the threat and impact associated with particular CVEs, building upon the vulnerability information that is provided as part of the CVSS (Common Vulnerabilities Scoring System) score. More information on how we calculate OVSs is available here.
CVE-2019-0708, aka “BlueKeep” was originally disclosed by the UK National Cyber Security Centre (NCSC) in May 2019, though has provide one of the most important vulnerabilities in 2020 too. Orpheus has attributed BlueKeep with an Orpheus Vulnerability Score of 100/100 due to its ease of exploit, availability of public exploits, assets affected, and evidence of exploitation in the wild.
BlueKeep affects Remote Desktop Protocol (RDP) services on a majority of Windows versions prior to Windows 10, allowing threat actors to achieve remote code execution (RCE) on the compromised server.
As RDP is widely used in corporate environments for remote access to company assets and software, this vulnerability has generated many fears that a “wormable” version may spread and create an impact similar to that of WannaCry, which leveraged a similar vulnerability named EternalBlue to rapidly spread ransomware across thousands of devices. Use of RDP has also increased as a result of the pandemic and work-from-home arrangements, as companies have had to aggressively expand their remote access infrastructure to meet their employees’ needs, with security often being left as an afterthought.
Shortly after the publication of the vulnerability, Microsoft issued a security update urging users to swiftly patch vulnerable systems, as security vendors started reporting on scanning activity pertaining to threat actors searching for vulnerable systems, indicating that BlueKeep exploits were being developed. Metasploit, a popular penetration-testing framework, published an initial exploit module for BlueKeep on 9 September 2019, making the vulnerability much easier to exploit. Ease of exploitability and availability of a Metasploit module are two factors in our calculation of BlueKeep’s Orpheus Vulnerability Score (OVS), which was scored at a maximum 100/100. Interest among threat actors to exploit the vulnerability remains high, as cybercriminals continue discussing exploitation and detection of vulnerable hosts on dark web hacking forums. The below screenshot from one such forum post (dated November 2020) demonstrates that threat actors are continuing to leverage the vulnerability in addition to creating dedicated target lists of vulnerable RDP instances for mass exploitation.
Figure 1: Cybercriminals discussing the exploitation of BlueKeep on an underground forum
Another component of the OVS score is evidence of the exploit being used “in the wild” by threat actors. Several high profile incidents involving the vulnerability indicates that threat actors have indeed added BlueKeep exploits to their arsenal, further contributing to a high OVS score for the vulnerability The following incidents have been reported by Orpheus analysts as leveraging BlueKeep since its initial publication in May 2019:
- July 2019: Cyptomining campaign targets vulnerabilities in Linux and scans for BlueKeep vulnerability
- November 2019: Further evidence of BlueKeep exploits used in the wild by cryptomining campaigns surfaces
- June 2020: Gameredon, a suspected Russian state actor, has been observed targeting military and diplomatic entities in Eastern Europe using a BlueKeep exploit
Data from Shodan suggests that there are still approximately 264,546 devices and hosts worldwide still vulnerable to BlueKeep, meaning that many organisations have yet to patch or upgrade their RDP services. The following map provides a breakdown of the number of vulnerable hosts per country, demonstrating that China has by far the most vulnerable hosts with approximately 103,511.
Figure 2: A significant number of hosts worldwide are still vulnerable to BlueKeep
We recommend organisations take action to mitigate the potential impact of threat actors using such the BlueKeep exploit by applying the mitigation advice provided in the official Microsoft security advisory. This includes the following steps to quickly reduce exposure and potential exploitation of the vulnerability in your attack surface:
- Disable RDP services if they are not required
- Enabled Network Level Authentication on vulnerable systems
- Block port 3389 on your organisations’ firewall or use an allowlist to limit access
Get our latest cyber intelligence insights straight into your inbox every week
Fill out the short form below to subscribe to our newsletter so that you never miss out on our cyber intelligence insights and news.