Marcus Hutchins Gives Advice on BlueKeep (CVE-2019-0708)

The Internet has recently been buzzing about the latest BlueKeep exploits, which affect the popular Windows Remote Desktop Protocol, or RDP for short. British intelligence originally discovered the BlueKeep vulnerability in May, otherwise known as CVE-2019-0708.

Here’s how Microsoft describes it:

“A remote code execution vulnerability exists in Remote Desktop Services – formerly known as Terminal Services – when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

To exploit this vulnerability, an attacker would need to send a specially crafted request to the target systems Remote Desktop Service via RDP. The update addresses the vulnerability by correcting how Remote Desktop Services handles connection requests.”

Marcus Hutchins famously deployed a killswitch for WannaCry back in 2017, preventing the notorious WannaCry ransomware from doing further harm to the world’s Windows machines. Despite his legal troubles since then, Hutchins’ work has been immensely beneficial to cybersecurity research. And he hasn’t rested on his laurels in the interim. In fact, he continues to do great work.

Hutchins has observed the first BlueKeep hacking campaign on a mass scale, which emerged in early November. This week, we had the opportunity to ask him a few questions about it.

KIM CRAWLEY: Tell us how you stumbled upon BlueKeep.

MARCUS HUTCHINS: I didn't find the vulnerability, if that's what you're asking. This one was reported by GCHQ. (NOTE: GCHQ is a British intelligence agency, and their organization, the National Cyber Security Centre, found the vulnerability.)

How did you investigate BlueKeep?

By reverse engineering the Microsoft patch.

My own advice as a cybersecurity writer is for users to disable RDP unless they have a good reason to use it. A lot of Windows ransomware gets in that way. Does the vulnerability affect the most recent version of Windows 10? Server 2016?

No, only Windows XP to Windows 7.

There’s lots of legacy tech out there in the enterprise. Sometimes organizations have difficulty upgrading Windows because they need driver support for devices that are only supported in older versions of Windows. How can the vulnerability be exploited?

By triggering a memory corruption bug in the kernel.

Ouch! Does that give an attacker access to much of the memory?

They can get full remote code execution.

Do you think the vulnerability has already been exploited many times? And what are your contributions to our knowledge about the vulnerability?

Yes. (My contributions are) explaining how it works and tracking widespread use.

Imagine I'm a Security Operations Center (SOC) analyst in a network with many Windows 7 endpoints that can't be upgraded due to driver support issues. What do I need to know?

You need to disable RDP or enable network level authentication.

What else should I know about BlueKeep?

That the full code for the exploit is public.

After speaking with Marcus Hutchins, it was brought home to me how important it is for organizations with legacy versions of Windows to install as many security patches as possible. A patch for the BlueKeep vulnerability has been available since May 14, 2019, and even the NSA is urging users to patch and update as soon as possible. I applaud Microsoft’s hard work, but I’m concerned by how many machines Hutchins was able to find that are still vulnerable.

Patch management is serious business. And if you don’t manage your patches properly, all the hard work of patch developers is for naught. Patch early and often.

You can download the BlueKeep/ CVE-2019-0708 patch here