Information in regards to the exploitation of BlueKeep (CVE-2019-0708) has been leaked for some time now, but Metasploit has decided to publicly release their own exploit module. What is most dangerous about BlueKeep is that it only takes a single machine to expose credentials linked to other computers on the same network. The new kit is designed to target the 64-bit versions of Windows 7 and Windows 2008 R2. Metasploit’s module specifically identifies a target operating system version and verifies whether or not it is vulnerable. Users must provide target details before the process continues, meaning automatic targeting is not supported. With no surprise, this poses a huge risk for unpatched RDP servers, with over one million on the internet and nearly 72,000 in the US alone. As previously mentioned, exploit information has been leaked for a while, but this makes it easier for less-skilled groups of people to carry out attacks and target every vulnerable host with an RDP open. When asked if the release would allow threat actors easier access to create their own exploits and why Rapid7 made it public, Brent Cook from Rapid7 stated, “Metasploit is an open-source exploitation toolkit that can be used by anyone. The information in the exploit module provides a further understanding of attack techniques and how to mitigate them. This holds true for every module and technique added to Metasploit Framework. This module particularly benefits defenders who rely on open-source tooling for testing and prioritizing security risks. We recognized that other researchers have also independently developed working exploits for this vulnerability and given the public information that has accumulated so far, we felt it was important to help security practitioners demonstrate the direct risk associated with this vulnerability and encourage implementing mitigations. The module today contains limitations that prevent its direct use for wide-scale automatic exploitation, but we do expect that other knowledge from the security community to complete the picture at some point.” CISA, Microsoft, and the NSA have all released warnings urging users to patch and or upgrade their vulnerable machines.
Analyst Notes
Though this release by Rapid 7 with Metasploit will make this exploit easier for “skiddies” to use, they should not be faulted. BlueKeep has been out for some time now, and even a month after its release, Microsoft was still warning their users to patch. Users should have patched their systems by now, but if they have not, it should be done immediately. Users are strongly suggested to use a VPN and remove their RDP servers from direct internet connection if they are not used within the company. Along with deploying the patch for BlueKeep, users should also switch to Network Level Authentication and monitor internally and externally for suspicious RDP connection activity and have a proper response plan in place.
