The below information is shared by CERT-IN (Government of India) as part of their regular monitoring and analysis
Overview
A vulnerability has been reported in Microsoft WindowsRemote Desktop Services which could be exploited by a remote attacker toexecute remote code on the targeted system.
This vulnerability aka Blue Keep exists in the MicrosoftRemote Desktop Services due to improper handling of connection requests. Aremote unauthenticated attacker could exploit this vulnerability by sendingspecially crafted requests to the target systems Remote Desktop Service viaRDP.
This vulnerability is pre-authentication and does notrequire any user interaction. Hence, this vulnerability could create a worm,which could lead to propagation of any future malware exploiting thisvulnerability from one computer to another (Similar to Wannacry ransomware).
Successful exploitation of this vulnerability could allowthe attacker to execute arbitrary code and compromise the target systemcompletely.
Many industrialenvironments enable remote operators and engineers to access control systemenvironments.
Care must be taken forcloud based windows installations
Working Exploits inMetasploit and other Proof-of-concept code detailing a workable exploit are inpublic domain
The attackers arecollecting the vulnerable list to sell as an access-as-a-service on forums andmarketplace using GoldBrute Botnet. IOCs related to GoldBrute
104.156.249.231
af07d75d81c36d8e1ef2e1373b3a975b9791f0cca231b623de0b2acd869f264e
Systems Affected
Windows XP (all)
Windows 2003 (all)
Windows 7 for 32-bit Systems SP 1 and x64-based Systems SP 1
Windows Server 2008 for 32-bit Systems SP 2 (Server Coreinstallation also affected)
Windows Server 2008 for Itanium-Based Systems SP 2
Windows Server 2008 for x64-based Systems SP 2 (Server Coreinstallation also affected)
Windows Server 2008 R2 for Itanium-Based Systems SP 1
Windows Server 2008 R2 for x64-based Systems SP 1 (ServerCore installation also affected)
*******************************IOC*****************************
IP/Domain
Hashes
*****************************IOCEND***************************
CERT-IN recommends:
Usersmust keep the software and firmware up-to-date with timely patches to preventany potential attacks. Necessary details regarding the patching can be seenhere:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708
https://support.microsoft.com/en-gb/help/4500705/customer-guidance-for-cve-2019-0708
Disableremote Desktop Services if not required. As a best practice, disable unused andunneeded services to reduce exposure to security vulnerabilities
BlockTCP Port 3389 at your firewalls, especially any perimeter firewalls exposed tothe internet.
EnableNetwork Level Authentication on supported versions. With NLA enabled,attackers would first have to authenticate to RDS in order to successfullyexploit the vulnerability.
IfRDP is needed, consider using it across a VPN gateway so it’s not exposed onthe internet.
Vendor information:
Microsoft
https://support.microsoft.com/en-us/help/4500705/customer-guidance-for-cve-2019-0708
References
https://blogs.technet.microsoft.com/msrc/2019/05/14/prevent-a-worm-by-updating-remote-desktop-services-cve-2019-0708/
Cisco
https://tools.cisco.com/security/center/viewAlert.x?alertId=60195
Trend Micro
https://success.trendmicro.com/solution/000132295-SECURITY-ALERT-Remote-Code-Execution-RCE-Vulnerability-in-Microsoft-Windows-Remote-Desktop-Services-CVE20190708
KrebsonSecurity
https://krebsonsecurity.com/tag/cve-2019-0708/
BleepingComputer
https://www.bleepingcomputer.com/news/security/bluekeep-remote-desktop-exploits-are-coming-patch-now/
CVE Name
CVE-2019-0708