Seqrite detects BlueKeep: A vulnerability targeting enterprises during RDP pre-authentication in Windows OS

Seqrite, a specialist provider of endpoint security, network security, enterprise mobility management and data protection solutions, has highlighted the growing threat presented by CVE-2019-0708, commonly known as BlueKeep. An RDP pre-authentication vulnerability affecting Windows OS, the exploit can be used by cybercriminals and threat actors to compromise systems without the user’s interaction.

What makes BlueKeep particularly frightening is the fact that it is ‘wormable’. Infected systems can be used to target other vulnerable machines within the enterprise network and can even move across networks to spread the infection at scale. This is similar to the method employed by cybercriminals during the global WannaCry epidemic in 2017. Researchers at Seqrite said that the exploit could affect healthcare products like radiography, X-ray and other imaging software that leverage Windows OS.

Another major point of concern is the fact that multiple PoCs exploiting BlueKeep have emerged since the vulnerability was patched by Microsoft. The exploit code for the vulnerability has also been added to the popular exploitation framework, Metasploit, with the module likely to be used by amateur hackers. This makes it easier for cybercriminals – both novice and experts – to carry out large-scale attacks on vulnerable host devices with their RDP ports open to the Internet.

Attacks exploiting BlueKeep have already been detected dropping the Monero cryptocurrency miner on vulnerable systems. Security experts at Seqrite have also analysed the telemetry data to highlight a surge in the number of such attacks; all attacks were successfully blocked by its wide range of enterprise security solutions.

Given the criticality and potential impact of the vulnerability, Seqrite advises all organisations to immediately apply the relevant patch. In case the patch cannot be applied, users can disable RDP access to devices from outside the organisation’s network. Machines which are hosted on the cloud should also be updated to only allow RDP access to whitelisted IPs.