Debunking The BlueKeep Exploit Hype – What You Should Know

Andra Cazacu

November 07, 2019

Debunking The BlueKeep Exploit Hype – What You Should Know

WannaCry is still fresh in our memory, reminding organizations of how distractive an unpatched vulnerability can be especially if weaponized as a wormable threat that delivers ransomware. BlueKeep has been estimated to have the same disruptive potential as EternalBlue (the exploit responsible for WannaCry) if sporting worm-like behavior, especially since RDP is a commonly used service in organizations, allowing IT and security teams to remotely dial into machines.

Bitdefender closely followed the topic since Microsoft’s announcement and acknowledged the highly virulent potential of the vulnerability back in September, when we made the first recommendations in defending against potential outbreaks and confirmed hypervisor introspection can prevent it even from zero-day phase.

Here are more details about the vulnerability and what steps you should take to protect against undergoing BlueKeep attacks and potential future outbreaks.

The timeline

As the BlueKeep vulnerability (CVE-2019-0708) in Microsoft Remote Desktop Services was made public in May 2019, it was only a matter of time until a proof of concept exploit code was to be made available.

The vulnerability affects a large number of operating systems, from Windows 2000 all the way to Windows Server 2008 R2, allowing attackers to perform remote code execution on an unprotected system and potentially plant any type of malware.

While patches have been made available by Microsoft - including for Windows XP - some estimates place the number of potentially vulnerable devices in the hundreds of thousands. As the BlueKeep vulnerability has been weaponized, infecting vulnerable computers with cryptocurrency miners or even ransomware in some instances, it could also be used to deliver other, more insidious threats or as part of more sophisticated attacks. The perfect example is a ransomware attack in Spain on Nov 4th believed to be associated with BlueKeep that created media hysteria and saw disruptions across Spain’s largest radio station and one of the region’s large MSPs.

Vulnerabilities, worms, and money

Malware developers often invest time and energy in developing threats that can generate significant return on investment. Consequently, ransomware and cryptocurrency miners have been known to generate substantial revenue for threat actors, especially when used in conjunction with wormable vulnerabilities or even brute-forcing attacks on RDP credentials.

BlueKeep doesn’t stray from this pattern, as it has recently been found spreading a cryptojacking payload. While profitable, especially when amassing a large number of devices into the mining pool, it’s safe to assume that since BlueKeep affects systems that may be running on hardware that’s limited in terms of computing power, cybercriminals might not be making money as fast or as much as expected.

Coupling BlueKeep with a ransomware payload is far more appealing from a financial perspective. The security industry feared this scenario and it was only a matter of time until reports of Bluekeep dropping a ransomware payload became a reality.

While the number of vulnerable targets vulnerable to BlueKeep may be limited when compared at the global number of endpoints, ransomware is sufficiently disruptive and difficult to recover from, especially if packing a wormable component. Ransomware also has an added benefit: the ransom note can be customized based on the victim’s profile.

Both cryptojackers are ransomware are different edges to the same sword, in the sense that that they’re both focused on profit, except they have a different way of going about it.

RDP is good, but a vulnerability in RDP is king

Cybercriminals have been increasingly abusing the RDP protocol in their attacks against organizations, as it allows for untethered access within an organization, without triggering any bells and whistles from endpoint security solutions. Since RDP is a legitimate service that’s used by employees, usually IT and security teams, to remotely connect to internal systems, if the service is not properly configured or secured it can be vulnerable to brute-force attacks or even susceptible to exploits caused by unpatched vulnerabilities.

In terms of network attacks aimed at organizations, brute-force attacks on RDP credentials rank first, according to Bitdefender telemetry, accounting for more than 65 percent of all network-based attacks. By a wide gap, it’s followed by password stealers, the exploitation of vulnerabilities in the SMB protocol, and even ShellShock remain some of the most commonly used attack techniques.

One of the main advantages for successfully compromising RDP is that threat actors can have complete control over the target machine, enabling them to install or remove applications, or even manually disable in-guest security mechanisms. If brute forcing attacks on RDP can be spotted by perimeter technologies or by various security policies, exploiting a vulnerability in RDP is truly a gold mine – especially if it doesn’t require any user interaction – as all it takes is for a machine to expose the vulnerable service online.

Defending against BlueKeep

How to protect against BlueKeep based attacks in 3 steps: Patch, Mitigate RDP, Strong network attack defence.

Step 1 - Patch, patch, patch

In terms of what organizations vulnerable to this new RDP vulnerability need to do in order to stay safe from any type of payload delivered by BlueKeep, applying patches should be on top of their priority list. Patch management solutions can help with prioritizing patches based on how critical they are, while at the same type prepare IT and security teams for implementing other potential mitigation techniques.

Step 2 – Mitigate RDP

While some systems might understandably not be patchable, configuring Remote Desktop Service with Network Level Authentication or not exposing RDP to the outside world (unless the system is patched) are also mitigation options that should be considered. By using Network Level Authentication, organizations can mitigate Remote Desktop vulnerabilities than can only be exploited prior to authentication.

Step 3 – Maintain strong network attack defenses

Network attack defense technologies that can scan the data in streaming-mode, blocking threats at the first sign of malformed data packet, are also capable of blocking the exploitation of RDP vulnerabilities at the network level, before any malicious payload ever reaches the targeted machine. Blocking network-based threats using these technologies can also protect organizations from having internet-facing services exploited, by detecting and blocking threats early in the attack chain. These technologies are based on both signature and behavior-based analysis powered by machine learning algorithms trained to spot similar network data streams usually associated with attacks.

Step up zero-day defenses with emerging technologies

For organizations with highly virtualized infrastructures that run vulnerable machines, it’s also recommended they deploy hypervisor introspection technologies, capable detecting and protecting against BlueKeep, but also against known or unknown vulnerabilities.

Ultimately, in light of the ever-increasing number and sophistication of attacks, as well as the increasing attack surface present in their infrastructure, organizations that need to increase their security posture should adopt a layered security approach, capable of preventing, detecting, and blocking threats during various stage of attack. Having the right security and visibility tools, can help organizations across all verticals minimize the risk of a potential data breach while expediting the recovery process and ensuring business continuity.

Bitdefender was able to proactively halt BlueKeep even during its zero-day phase, using our hypervisor introspection technology. We publicly announced this in September, after anticipating the potential high risk posed by the vulnerability. Today, GravityZone™, Bitdefender’s end-to-end breach avoidance platform effectively helps organizations defend themselves against BlueKeep-enabled attacks, such as ransomware or cryptojacking.

Our unified hardening, prevention and detection security platform breaks the attack chain at multiple stages. The recent Network Attack Defense technology detects and helps block the exploit for GravityZone customers, while our patch management solution helps ensure our customer apply the latest Microsoft patches to protect against BlueKeep. Bitdefender’s multiple pre-execution and on-execution layers (e.g. machine-learning anti-malware, Process Inspector, HyperDetect) will also halt ransomware, cryptojacking or other threats delivered through BlueKeep, well before they can execute or affect business operations.


Want to learn more and get a custom quote? Please reach out to us.


Contact an expert



Andra Cazacu

Andra Cazacu, PMC Level III Certified, AltMBA Alumni, is leading the enterprise integrated solutions team at Bitdefender. As a senior security expert with a mix background of technology and product marketing, her focus for the past 10 years has been to explore how companies anticipate and prevent breaches, through the adoption emerging technologies, key partnerships between security and virtualization providers, as well as public and private sector collaborations. She is happiest when uncovering new and existing use cases for machine learning and other technologies designed to hold cyber criminals at bay so she can contribute to making the corporate world a safer place.

View all posts

You might also like