CVE-2019-0708 “Bluekeep”: Immunity Inc. starts to sell a exploit with full RCE capabilities
Cybersecurity firm Immunity Inc. decided to sell a BlueKeep exploit module capable of full remote code execution as part of its penetration testing toolkit.
Concerns about malicious usage of this module spreds around the whole cybersecurity community:
According to the advisory, the issue discovered was serious enough that it led to Remote Code Execution and was wormable, meaning it could spread automatically on unprotected systems. The bulletin referenced well-known network worm “WannaCry” which was heavily exploited just a couple of months after Microsoft released MS17-010 as a patch for the related vulnerability in March 2017. McAfee Advanced Threat Research has been analyzing this latest bug to help prevent a similar scenario and we are urging those with unpatched and affected systems to apply the patch for CVE-2019-0708 as soon as possible. It is extremely likely malicious actors have weaponized this bug and exploitation attempts will likely be observed in the wild in the very near future.https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/rdp-stands-for-really-do-patch-understanding-the-wormable-rdp-vulnerability-cve-2019-0708/
Cybersecurity vendor Immunity Inc. defended its decision to sell a BlueKeep exploit module capable of full remote code execution as part of its penetration testing toolkit.https://searchsecurity.techtarget.com/news/252467395/Immunity-selling-new-BlueKeep-exploit-defends-decision
The infosec community has been watching the progression of BlueKeep over the past two months. The Remote Desktop protocol vulnerability affects older Windows systems and is considered so dangerous that Microsoft twice urged users to patch. The issue even garnered warnings from the National Security Agency and Department of Homeland Security.
Security researchers from McAfee, Zerodium and Kaspersky had developed proof-of-concept BlueKeep exploits before, but none released the code because of fears it would accelerate the production of a weaponized exploit used by malicious actors.
The lack of a public exploit is a major reason, as is the difficulty of writing one from scratch, says David Aitel, chief security technical officer at Cyxtera, which last week announced it had incorporated a complete exploit for the BlueKeep vulnerability into its penetration-testing product, Canvas.https://www.darkreading.com/bluekeep-exploits-appear-as-security-firms-continue-to-worry-about-cyberattack/d/d-id/1335380
“It is not trivial,” he says.
Eleven weeks after Microsoft announced it had patched the critical software issues, the lack of an exploit for BlueKeep continues to puzzle some security professionals. BlueKeep (CVE-2019-0708), a vulnerability in the way older versions of Windows handle remote desktop protocol (RDP) messages, can allow an attacker to run code on systems with the service accessible from the Internet.
Yet, while a catastrophic worm is the obvious threat, other, more subtle dangers exist as well, says Dan Dahlberg, director of security research at BitSight.
“You think of the activities of the sorts of people trying to take advantage of this vulnerability for nefarious pourposes — there are people who are less experienced, who would likely turn it into a worm,” he says. “But there are other actors who might utilize this vulnerability in a much more stealthy manner, and that is going to be much harder to detect.”
What should users do?
Update, update, update! 🙂