, 68 tweets, 23 min read Read on Twitter
CVE-2019-0708 RDP vulnerability megathread, aka BlueKeep.

Going to nickname it BlueKeep as it’s about as secure as the Red Keep in Game of Thrones, and often leads to a blue screen of death when exploited.
If you want a quick and dirty mitigation for Windows 2008 and 7, turn on NLA. en.wikipedia.org/wiki/Network_L…
There are no public PoCs yet, and no sign of exploitation in wild.

Joke PoCs are already appearing on Github. Don’t run random PoCs you find online; they will often be malicious.
There’s still no public PoC and no uptick in scanning.
There’s still no public PoC, the ones floating around online are fake. Also the screenshot doing the rounds is fake.
There's multiple fake and malicious "PoC"'s for CVE-2019-0708 now
Zerodium have confirmed exploitability of bug. No technical details have been released.
There’s still no public exploit (which isn’t a hoax or malicious). There’s no sign of exploitation in wild.
There’s still no public exploit for #BlueKeep, signs of exploitation in the wild or scanning.
From almost 3m connection records for RDP, there is no reasonable sign of an increase this week. #BlueKeep
I've been keeping an eye on Github and Twitter, so far none of the exploits are real - so far the best ones as for a different issue from 2012, along with the GIF blue screen images (wrong vuln).
My favourite thing is somebody has registered the CVE-2019-0708 .com and is selling a fake exploit on it.
There is no sign of extra scanning for RDP, nor any public exploits.
Researchers at Mcafee and Zerodium both have working exploits for this. Neither have released technical details. There are no publicly available exploits at this stage, nor evidence of exploitation in wild.
I could have a full time job debunking all the fake and malicious exploits on Github, and the scam exploit sales on Darknet forums (favourite one uses a video dropping an exe in local user temp folder, and people are still buying it despite the previous buyers saying fake 😂).
Kaspersky dude has blue screen of death 🍻
360 now offer free scans of your network for #Bluekeep vulnerable devices, without triggering BSOD.
The situation with #BlueKeep is slowly evolving. There is one real proof of concept on Github now which reaches the trigger of issue, however it does not cause denial of service or have ability to run code.
Kaspersky/@oct0xor got Blue Screen with #BlueKeep. The GIF is authentic. Three different researchers at different companies have reached this stage so far. Note this in itself does not allow code execution.
It is possible to detect if servers are vulnerable remotely without creds without causing denial of service or a log, so tools should emerge for that over coming days.
NCC Group have published a NIDS rule to detect #BlueKeep exploitation attempts on the wire - I imagine IDS providers want to look at this.
There are no public PoCs that provide code execution, and the barrier to entry to achieving that is still extremely high.

Code and knowledge to reach the trigger of the issue (but not exploitation) is out there now. So InfoSec vendors probably want to move to public detection.
If you have Cisco FirePOWER devices, they have coverage available to detect #BlueKeep now. Make sure you’re keeping signatures up to date.
Mcafee has an exploit called BlueKeep.exe (not publicly released) which runs calc.exe on a remote host. CVE-2019-0708 continues to escalate. securingtomorrow.mcafee.com/other-blogs/mc…
Incredible work by @ValthekOn btw, he could sell that for a million dollars.
Unauthenticated #BlueKeep network scanner, shows vulnerable hosts. By @JaGoTu @zerosum0x0. Metasploit module due soon for same. github.com/zerosum0x0/CVE…
Load up EmergingThreats definitions into Snort and it detects #BlueKeep. Also upload your pcaps to VirusTotal (this was just a test).
For the record - there is still no public PoC with code execution, the skill bar is still extremely high to develop that, and there’s no evidence of malicious usage in the wild.
Metasploit module for checking for #BlueKeep vulnerability unauthenticated - works on XP/Win7 probably Server 2003, 2008 github.com/rapid7/metaspl…
Very low level volume of #BlueKeep vulnerability scanning detected. Nothing to panic about. Over weekend you will possibly see researchers etc scanning internet.
The team at Qihoo360 also have code execution with BlueKeep. So far I’m aware of 3 security companies who claim to have made it this far.
Rapid7 are seeing low levels of internet scanning for this.
There are enough exploit development people in private who have RCE now (or very close) to say this is very likely to become a public exploit in the near term.
There’s been a crowdsourced exploit development process with a sprinkle of reused nation state hacking ideas and basically the barrier to entry to exploit this is crumbling.

Keep calm and patch on - maybe a bit faster.
There’s no public remote code execution exploit for this. Levels of scanning for both the vulnerability and RDP have actually dropped down over last few days.
There is limited scanning for BlueKeep vulnerability. There is no public remote code execution PoC.
In terms of data, almost every RDP scan for BlueKeep uses TLS (end to end encryption) currently so if you’re not seeing it much in your IDS, that would be why.
Rob estimates around a million directly connected to internet systems with RDP open are still vulnerable to BlueKeep.
Spoiler: it will be way, way higher when you get to systems inside organisations.
A warning re CVE-2019-0708 aka BlueKeep.

There are significantly higher number of internet accessible devices vulnerable than vulnerable to MS17-010 during WannaCry. I have scan results from back then using @zerosum0x0’s scanner (they also wrote the BlueKeep scanner).
I guess my message to security community is be very careful to continue to not expose any remote code execution code in public or even private because this has potential to be extremely messy, the numbers need to come way down.
There's a couple of public blue screen proof of concepts for this now. Haven't seen any used in wild yet. They do not allow code execution.
There is no sign the BSOD proof of concept is being used in the wild, nor is there a public remote code execution exploit. (There’s lots, and lots, and lots of fake ones on GitHub).
There’s still no public remote code execution exploit. Levels of scanning has died down over last few days.
To give Microsoft their credit here they have:

- Published very clear guidance and warnings about patching this, with stark warnings. Plus mitigations.

- Built patching into the OS and enabled it by default, and given enterprise class automated free tools in WSUS, Azure etc.
Overall RDP scanning levels remain the same, vulnerability scanning levels continue to drop, there's no sign of Blue Screen of Death attempts in wild. 99.99% of traffic on my honeypots continues to be vanilla RDP bruteforce.
3 weeks after patch release, there’s a work in progress Metasploit module for #BlueKeep (which isn’t released or otherwise available)
All hail @zerosum0x0 also keep calm and carry on patching.
The NSA are advising all organisations to patch the #BlueKeep vulnerability, along with mitigating actions
There is no public remote code execution exploit, and no evidence of exploitation in the wild. Keep patching.
June’s patch cycle begins today with Microsoft. There is currently no public remote code execution exploit for #BlueKeep and no evidence of exploitation in the wild.
Shout out to @ValthekOn @zerosum0x0 @MalwareTechBlog and @ryHanson for not releasing their exploits. They absolutely would be strapped on to ransomware almost immediately - I’ve already seen a few people try, not realising they’ve paid for fake exploits.
NCC have released a tool which allows scanning for BlueKeep where NLA is enabled (and you have creds) 💪🏾
If you use Rapid7, it now does unauthenticated scanning for #BlueKeep from today.
There are still around 1 million publicly accessible devices vulnerable to #BlueKeep, without NLA enabled, confirmed by @bitsight with rdpscan. The US remains one of the least patched regions. bitsight.com/blog/data-insi…
By the way, although InfoSec is generally a hype cycle (THE NEXT GEN THREAT!!1!), the #BlueKeep RDP vulnerability is still very real threat (even without a public exploit) and risk of turning into an int'l incident - so orgs should concentrate on remediating straggling systems.
There's still no public remote code execution exploit for BlueKeep. Thanks to some sterling work by @TomSellers and @zerosum0x0 you can scan with Metasploit with randomised fake usernames and computer names now.
New: US Cybersecurity and Infrastructure Security Agency say they have tested #BlueKeep vulnerability against Windows 2000 and achieved code execution. us-cert.gov/ncas/alerts/AA…
These are the latest BlueKeep patch (May patch) numbers for systems enrolled in Windows Defender.
We've two weeks until July's patch cycle begins, so to give a BlueKeep update - there's still no public remote code execution exploit, and the security community have been ultra well behaved around the whole issue.
Sophos have made an incredible #BlueKeep exploit (not public) which changes the Windows accessibility shortcuts, so you can bypass RDP login screen and get a GUI session. vimeo.com/344915265
There is no public remote code execution exploit for #BlueKeep, and no evidence of exploitation in wild. @BitSight have updated vulnerable system numbers - around ~800k systems still exposed to internet and not patched, will take ~2+ years for remediation bitsight.com/blog/industry-…
@BitSight At the 2019 Security Development Conference in China at the weekend somebody from Tencent did a presentation on how to exploit #BlueKeep. I think details are still too vague from this for people to know how to do it.
@BitSight I've made an exploit tracking thread here: opensecurity.global/topic/23-bluek…
@BitSight I've updated this thread with @0xeb_bp's #BlueKeep exploitation technical document, newly released today - it shows how to reach UAF. The bar for (unreliable) public exploitation POC is lowering significantly. opensecurity.global/forums/topic/2…
A US company are selling a RCE exploit for #BlueKeep, which I’m sure will end well.
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Kevin Beaumont
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!