BlueKeep: The Threat Is Real and Here’s What You Should Do

It’s official — a successful exploit of BlueKeep has been spotted in the wild. Since Microsoft first warned the public about the Remote Desktop Protocol (RDP) vulnerability BlueKeep, security professionals and researchers have been waiting to see a documented case of bad actors taking advantage of the vulnerability. And on November 2, security researcher Kevin Beaumont revealed that cryptominers were crashing his network of honeypots by exploiting BlueKeep. Microsoft has confirmed this information.

There’s good reason to be concerned about BlueKeep, also known as CVE-2019-0708. It’s a vulnerability for RDP, a Microsoft service that allows a user to remotely connect to a device and interact with it through a virtual interface. RDP is a useful tool but was never intended to be exposed to the public Internet. BlueKeep is particularly dangerous because it’s wormable, which means attackers can use it as an entry point to move laterally into other systems. 

Since BlueKeep was announced, researchers have been concerned there could be a wave of BlueKeep attacks in the mold of Wannacry. Microsoft has issued multiple warnings about the dangers of BlueKeep and the importance of patching operating systems with RDP. The NSA even took the unusual step of issuing its own warning urging administrators and users to patch legacy versions of Windows.

The fact that there is a documented case of attackers using BlueKeep makes it that much more critical for organizations to shore up their defenses. While BlueKeep attacks have only been used for cryptocurrency mining so far, it’s only a matter of time before bad actors use it to launch ransomware, malware, and other attacks. 

One of the most important steps you can take to reduce your risk is to make sure you don’t have any RDP instances exposed to the public Internet where bad actors could potentially access them. Rapid Internet-wide scanning and machine-speed attacks make it easy for attackers to find and take advantage of exposed Internet Assets like RDP in hours or even minutes. Security by obscurity just doesn’t work anymore. 

At Expanse, we’ve found that the vast majority of organizations don’t know what Internet Assets and services (like Windows machines on the Internet with no firewall and RDP or other remote access exposures) they have. We routinely find up to 70% more Internet Assets than organizations previously knew about or were tracking. Pervasive vulnerabilities like BlueKeep-exploitable RDP mean you simply can’t afford to remain in the dark as to what you have exposed to the Internet. 

Talk to us today to get a demo of how we can help you find employee laptops and Windows virtual machines on the Internet with no firewall, and hundreds of other types of exposures. 

Leo Olson is a senior Cyber Research Engineer at Expanse with over 20 years of experience in government, military, and law enforcement cyber operations. He specializes in network analysis with special interest in malware C2 communications and cyber threat intelligence.