BlueKeep is a remote code execution vulnerability that exists in Remote Desktop Services that allows an unauthenticated attacker to establish a connection with the targeted system. By exploiting the vulnerability attacker can install programs; view, change or delete data; or create new accounts with full user rights.
RDP is a Remote Desktop Protocol, which allows a computer to connect with another computer over the network to access them remotely. Windows machine comes preinstalled with RDP client software.
BlueKeep Detection Tool
ESET released a free BlueKeep Detection Tool that lets you check if the system is vulnerable. The vulnerability was first reported in May 2019 and Microsoft fixed the vulnerability on 14 May 2019. But still, the vulnerability was not patched completely.
“This program has been tested against 32-bit and 64-bit versions of Windows XP, Windows Vista, Windows Server 2003, Windows Server 2003 R2, Windows Server 2008 and Windows Server 2008 R2 before and after applying Microsoft’s updates for BlueKeep. To use the program, run the executable. There are no command-line arguments for use with the initial release.”
Once we run the tool against the Windows system, the program will report if the system is vulnerable to exploitation.
“In the event the system is vulnerable, the tool will take the user to the web page to download the appropriate patch on Microsoft’s web site.”
“ESET has seen an increasing number of incidents where the attackers have connected remotely to a Windows Server from the internet using RDP and logged on as the computer’s administrator.”
Threat actors started increasingly using the Remote Desktop Protocol as an initial attack vector to launch a sophisticated attack and cause more damage.
One example of the attack is the Dharma ransomware which uses RDP as a gateway to get in with the victim machine. In underground forums cybercriminals tied up with each other, in an instance observed ransomware developers tied with network crackers.
RDP based attack or on the rise, manufacturing, finance, and retail were the top three most-attacked industries. By gaining RDP access attackers can exfiltrate data, delete backups, install coin-mining programs, ransomware and more.
Enterprises are recommended to implement protection measures against RDP attacks and not to connect with the Internet directly.
Download: BlueKeep Detection Tool
You can also read the complete Ransomware Attack Response and Mitigation Checklist.