Discover and read the best of Twitter Threads about #BlueKeep

Most recents (4)

New Unpatched Bug Could Allow Client-Side Attackers to Bypass #Windows Lock Screen On RDP Sessions


All the attacker needs to do is… interrupt the network connectivity of a targeted client system and Tadaaaa...! the lock screen will disappear
Starting with Windows 10 1803 and #Windows Server 2019, this flaw exists when login over #RDP requires the clients to authenticate with Network Level Authentication, an option that #Microsoft recently recommended as a workaround against the critical #BlueKeep RDP vulnerability.

"Two-factor authentication systems that integrate with the Windows login screen, such as Duo Security MFA, are also bypassed using this mechanism. Any login banners enforced by an organization will also be bypassed." @wdormann confirmed.
Read 6 tweets
How to assure Network Level Authentication is on, without Group Policy.

HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services
Value: UserAuthentication
Data: 1

HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\
Value: UserAuthentication
Data: 1
Although NLA only mitigates #BlueKeep CVE-2019-0708 by requiring authentication first, it's a good bet most worms will get their foothold just spamming unauthenticated attempts to servers.
NOTE: Network Level Authentication is pretty much set it and forget it for basically everybody. However, there are a few very rare issues on the client-side I've encountered. Again, it's an issue on the client, the server is still accessible just fine. Here's how to fix them:
Read 8 tweets
WARNING: Per our threat team, there is backdoored “Proof-of-Concept” exploit code floating around for #BlueKeep CVE-2019-0708.

Make sure your red teams are NOT running arbitrary code and trying to be a hero. Attackers know orgs are panicking trying to assess their network.
UPDATE: Fully vetted #BlueKeep vulnerability scanner is now in @metasploit.
Great work @JaGoTu & @zerosum0x0.

As always, probing production networks must be done with caution. Do not go around scanning factory control equipment with brand-new modules.

Read 4 tweets
CVE-2019-0708 RDP vulnerability megathread, aka BlueKeep.

Going to nickname it BlueKeep as it’s about as secure as the Red Keep in Game of Thrones, and often leads to a blue screen of death when exploited.
If you want a quick and dirty mitigation for Windows 2008 and 7, turn on NLA.…
There are no public PoCs yet, and no sign of exploitation in wild.

Joke PoCs are already appearing on Github. Don’t run random PoCs you find online; they will often be malicious.
Read 68 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!