12 Vulnerabilities of Christmas- CVE-2019-0708 A.K.A BlueKeep
The Twelve Days of Christmas commemorates a series of increasingly extravagant gifts given during the festive period. To mark the advent of Christmas and the end of a turbulent year, our analysts have looked at some of the biggest gifts to cyber threat actors in 2020, in terms of the vulnerabilities (also known as CVEs, which stands for Common Vulnerabilities and Exposures), that they have been able to exploit. Instead of gold rings, maids-a-milking and turtle doves, we look at remote code execution, privilege escalation and lateral movement.
We have selected each of our Twelve vulns of Christmas on the basis of their Orpheus Vulnerability Score (OVS), so many of these have scores of or close to the maximum of 100. An OVS provides additional context on the threat and impact associated with particular CVEs, building upon the vulnerability information that is provided as part of the CVSS (Common Vulnerabilities Scoring System) score. More information on how we calculate OVSs is available here.
CVE-2019-0708, aka “BlueKeep” was originally disclosed by the UK National Cyber Security Centre (NCSC) in May 2019, though has provide one of the most important vulnerabilities in 2020 too. Orpheus has attributed BlueKeep with an Orpheus Vulnerability Score of 100/100 due to its ease of exploit, availability of public exploits, assets affected, and evidence of exploitation in the wild.
Background
BlueKeep affects Remote Desktop Protocol (RDP) services on a majority of Windows versions prior to Windows 10, allowing threat actors to achieve remote code execution (RCE) on the compromised server.
As RDP is widely used in corporate environments for remote access to company assets and software, this vulnerability has generated many fears that a “wormable” version may spread and create an impact similar to that of WannaCry, which leveraged a similar vulnerability named EternalBlue to rapidly spread ransomware across thousands of devices. Use of RDP has also increased as a result of the pandemic and work-from-home arrangements, as companies have had to aggressively expand their remote access infrastructure to meet their employees’ needs, with security often being left as an afterthought.
Shortly after the publication of the vulnerability, Microsoft issued a security update urging users to swiftly patch vulnerable systems, as security vendors started reporting on scanning activity pertaining to threat actors searching for vulnerable systems, indicating that BlueKeep exploits were being developed. Metasploit, a popular penetration-testing framework, published an initial exploit module for BlueKeep on 9 September 2019, making the vulnerability much easier to exploit. Ease of exploitability and availability of a Metasploit module are two factors in our calculation of BlueKeep’s Orpheus Vulnerability Score (OVS), which was scored at a maximum 100/100. Interest among threat actors to exploit the vulnerability remains high, as cybercriminals continue discussing exploitation and detection of vulnerable hosts on dark web hacking forums. The below screenshot from one such forum post (dated November 2020) demonstrates that threat actors are continuing to leverage the vulnerability in addition to creating dedicated target lists of vulnerable RDP instances for mass exploitation.
Figure 1: Cybercriminals discussing the exploitation of BlueKeep on an underground forum
Another component of the OVS score is evidence of the exploit being used “in the wild” by threat actors. Several high profile incidents involving the vulnerability indicates that threat actors have indeed added BlueKeep exploits to their arsenal, further contributing to a high OVS score for the vulnerability The following incidents have been reported by Orpheus analysts as leveraging BlueKeep since its initial publication in May 2019:
Data from Shodan suggests that there are still approximately 264,546 devices and hosts worldwide still vulnerable to BlueKeep, meaning that many organisations have yet to patch or upgrade their RDP services. The following map provides a breakdown of the number of vulnerable hosts per country, demonstrating that China has by far the most vulnerable hosts with approximately 103,511.
Figure 2: A significant number of hosts worldwide are still vulnerable to BlueKeep
Mitigation
We recommend organisations take action to mitigate the potential impact of threat actors using such the BlueKeep exploit by applying the mitigation advice provided in the official Microsoft security advisory. This includes the following steps to quickly reduce exposure and potential exploitation of the vulnerability in your attack surface:
Disable RDP services if they are not required
Enabled Network Level Authentication on vulnerable systems
Block port 3389 on your organisations’ firewall or use an allowlist to limit access
Get our latest cyber intelligence insights straight into your inbox
Fill out the short form below to subscribe to our newsletter so that you never miss out on
our cyber intelligence insights and news.
Privacy Overview
This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.
Orpheus is a leading cyber security company that offers predictive and actionable intelligence to clients, enabling them to anticipate, prepare for, and respond to cyber threats. Our threat intelligence is used to create threat-led cyber risk ratings, providing a more accurate assessment of risk than just analysing an organisation’s attack surface. Products include; External attack surface management, risk-based vulnerability management, third-party supply chain risk management and cyber threat intelligence. Cyber security jobs and careers.
Strictly Necessary Cookies
These cookies are strictly necessary to provide you with services available through our website and to use some of its features. These must be enabled at all times, so that we can save your preferences.
Orpheus is a leading cyber security company that offers predictive and actionable intelligence to clients, enabling them to anticipate, prepare for, and respond to cyber threats. Our threat intelligence is used to create threat-led cyber risk ratings, providing a more accurate assessment of risk than just analysing an organisation’s attack surface. Products include; External attack surface management, risk-based vulnerability management, third-party supply chain risk management and cyber threat intelligence. Cyber security jobs and careers.
If you do not enable Strictly Necessary Cookies, we will not be able to save your preferences. This means that every time you visit this website you will need to enable or disable cookies again.
Orpheus is a leading cyber security company that offers predictive and actionable intelligence to clients, enabling them to anticipate, prepare for, and respond to cyber threats. Our threat intelligence is used to create threat-led cyber risk ratings, providing a more accurate assessment of risk than just analysing an organisation’s attack surface. Products include; External attack surface management, risk-based vulnerability management, third-party supply chain risk management and cyber threat intelligence. Cyber security jobs and careers.
3rd Party Cookies
This website uses Google Analytics to collect anonymous information such as the number of visitors to the site, and the most popular pages.
Keeping this cookie enabled helps us to improve our website.
Orpheus is a leading cyber security company that offers predictive and actionable intelligence to clients, enabling them to anticipate, prepare for, and respond to cyber threats. Our threat intelligence is used to create threat-led cyber risk ratings, providing a more accurate assessment of risk than just analysing an organisation’s attack surface. Products include; External attack surface management, risk-based vulnerability management, third-party supply chain risk management and cyber threat intelligence. Cyber security jobs and careers.
Please enable Strictly Necessary Cookies first so that we can save your preferences!
Orpheus is a leading cyber security company that offers predictive and actionable intelligence to clients, enabling them to anticipate, prepare for, and respond to cyber threats. Our threat intelligence is used to create threat-led cyber risk ratings, providing a more accurate assessment of risk than just analysing an organisation’s attack surface. Products include; External attack surface management, risk-based vulnerability management, third-party supply chain risk management and cyber threat intelligence. Cyber security jobs and careers.
Orpheus is a leading cyber security company that offers predictive and actionable intelligence to clients, enabling them to anticipate, prepare for, and respond to cyber threats. Our threat intelligence is used to create threat-led cyber risk ratings, providing a more accurate assessment of risk than just analysing an organisation’s attack surface. Products include; External attack surface management, risk-based vulnerability management, third-party supply chain risk management and cyber threat intelligence. Cyber security jobs and careers.
Request Demo Access
Fill out your details below and we'll be in touch to arrange demo access for you as soon as
possible.
