It’s time to disconnect RDP from the internet trusted cvv shop 2018, centralshop cvv shop
Brute-force attacks and BlueKeep exploits usurp convenience of direct RDP connections; ESET releases a tool to test your Windows machines for vulnerable versions
While the BlueKeep ( CVE-2019-0708 ) vulnerability has not, to date, caused widespread havoc, and we will be looking at the reasons why in this post, it is still very early in its exploitation life cycle. The fact remains that many systems are still not patched, and a thoroughly wormable version of the exploit might still be found. Because of these factors, ESET has created a free utility to check if a system is vulnerable.
ESET BlueKeep (CVE-2019-0708) Detection Tool
Download tool
Sometimes, you have to say something about things that “go without saying” and it seems the best way to start this post is by mentioning just that, because this is not a subject I expected to have to write about in this day and age. Before we dive in, let’s begin by looking at an old maxim.
There is an old saying in the information security field that if an adversary has physical access to your computer then it is not your computer anymore. The reason for this is quite simple: once the attackers have their hands on a computer, they can change anything they want. Installing devices such as hardware keyloggers, removing disk drives and copying them, and otherwise deleting, altering or adding anything they want on the system all become exponentially easier when you can walk right up to the computer. This is not a particularly surprising turn of events, nor a particularly clever one. Rather, it is an unavoidable truth. For the adversaries, it’s just part of their job description.
Businesses and schools and all sorts of organizations are not blind to this, though. These kinds of places do not put their servers at the front desk in the lobby, reception area, visitor center, waiting room or other locations where the public or, conceivably, any employee, faculty, student, or staff may enter and gain physical access to them. Or, at least, no business that wants to remain in business allows this. Usually, there’s some separation of the servers, whether they be in their own dedicated room, or even tucked away in some back corner that is off-limits to most personnel.
Yet for all this common knowledge, the lessons learned about security in the physical world do not always transfer well (or correctly) into the internet world. There are many servers running various versions of Microsoft Windows server operating systems that are directly connected to the internet with what amounts to little or no practical security around who can access them. And that brings us to the discussion of RDP.
RDP, short for Remote Desktop Protocol, allows one computer to connect to another computer over a network in order to use it remotely. In a domain, computers running a Windows Client operating system, such as Windows XP or Windows 10, come with RDP client software preinstalled as part of the operating system, which allows them to connect to other computers on the network, including the organization’s server(s). A connection to a server in this case means it could be directly to the server’s operating system, or it could be to an operating system running inside a virtual machine on that server. From that connection, a person can open directories, download and upload files, and run programs, just as if using the keyboard and monitor connected to that server.
RDP was invented by Citrix in 1995 and sold as part of an enhanced version of Windows NT 3.51 called WinFrame. In 1998, Microsoft added RDP to Windows NT 4.0 Terminal Server Edition . Since then, the protocol has been a part of all versions of Microsoft’s line of Windows Server operating systems, as well as being included with all non-home user editions of Windows Client operating systems since Windows XP was released in 2001. Today, common users of RDP include system administrators doing remote administration of servers from their cubicles without having to go into the server room, as well as remote workers who can connect to virtualized desktop machines inside their organization’s domain.
For the past couple of years, ESET has seen an increasing number of incidents where the attackers have connected remotely to a Windows Server from the internet using RDP and logged on as the computer’s administrator. Once the attackers are logged into the server as administrator, they will typically perform some reconnaissance to determine what the server is used for, by whom, and when it is being used.
Once the attackers know the kind of server they have control of, they can begin performing malicious actions. Common malicious activities we have seen include:
This is not a complete list of all the things an attacker can do, nor is an attacker necessarily going to perform all of these activities. Attackers may connect multiple times over days or just once, if they have a predetermined agenda. While the exact nature of what attackers will do varies greatly, two of the most common are:
In some cases, attackers might install additional remote-control software to maintain access (persistence) to compromised servers in case their RDP activities are discovered and terminated.
We have not seen any servers that were compromised both to extort via ransomware and to mine cryptocurrency, but we have seen instances where a server was compromised by one attacker to mine cryptocurrency, then later compromised by other attackers who changed the coin miner so that the proceeds went to them, instead. It seems there is little honor among thieves.
Knowledge around RDP attacks has reached a point that even sextortion scammers are incorporating mention of it in their ransom notes in an attempt to make their scams sound more legitimate.
For more information about these types of email scams, I recommend this series of articles by my colleague Bruce P. Burrell : Part I , Part II , and Part III .
Attacks performed with RDP have been slowly, but steadily, increasing, and subject to a number of governmental advisories from the FBI , the UK’s NCSC , Canada’s CCCS , and Australia’s ACSC , to name a few.
However, in May 2019 the floodgates opened with the arrival of CVE-2019-0708 , aka “BlueKeep,” a security vulnerability in RDP affecting Windows 2000, Windows XP, Windows Vista, Windows 7, Windows Server 2003, Windows Server 2003 R2, Windows Server 2008 and Windows Server 2008 R2. On the desktop, Windows 8 and later, and on servers, Windows Server 2012 and later, are unaffected.
The BlueKeep vulnerability allows attackers to run arbitrary program code on their victims’ computers. While even individual attackers can be a widespread threat because they can use automated tools for attacks, this vulnerability is “wormable,” which means an attack could spread itself automatically across networks without any intervention by users, just as the Win32/Diskcoder.C (aka NotPetya ) and Conficker worms have in the past.
Exploitation of wormable vulnerabilities is generally considered a severe issue. Microsoft has assigned the vulnerability its highest severity level, Critical, in its published guidance for customers , and in the US government’s National Vulnerability Database, the entry for CVE-2019-0708 is scored as 9.8 out of 10. Microsoft issued a blog post strongly recommending that users install its patches, including those for out-of-support operating systems such as Windows XP and Windows Server 2003. Concerns about a wormable exploit were so high that, at the beginning of June, the US National Security Agency issued a rare advisory recommending installation of Microsoft’s patches for the flaw.
At the beginning of September, Rapid7, the developer of the Metasploit pentesting tool, announced the release of a BlueKeep exploit. While no major escalations in BlueKeep activity were reported for the next couple of months, this has recently changed. At the beginning of November, mass reports of BlueKeep exploitation became public, as noted by ZDNet and WIRED , amongst other news outlets. The attacks have reportedly been less than successful, with about 91% of vulnerable computers crashing with a stop error (aka bug check or Blue Screen of Death) when the attacker attempts to exploit the BlueKeep vulnerability. However, on the remaining 9% of vulnerable computers, these attackers successfully installed Monero cryptomining software. So, while not the feared wormable attack, it does appear a criminal group has automated exploitation, albeit without a high success rate.
When I originally started writing this blog post, it was not my intention to go into a detailed description of the vulnerability, nor was it to provide a timeline of its exploitation: my goal was to provide readers with an understanding of what must be done to protect themselves against this threat. So, let’s take a look at what needs to be done.
So, with all that in mind, what can you do? Well, the first thing, obviously, is to stop connecting directly to your servers over the internet using RDP. This may be problematic for some businesses, because there may be some seemingly legitimate reasons for this. However, with support for both Windows Server 2008 and Windows 7 ending in January 2020, having computers running these and being directly accessible using RDP via the internet represents a risk to your business that you should already be planning to mitigate.
This does not mean that you immediately need to stop using RDP, but that you need to take additional steps to secure it as soon and as quickly as possible. Toward this end, we have created a table with the top ten steps you can take to begin securing your computers from RDP-based attacks.
This table is loosely based on order of importance and ease of implementation, but that can vary depending upon your organization. Some of these may not be applicable to your organization, or it may be more practical to do them in a different order, or there may be additional steps your organization needs to take.
You should verify that your endpoint security software detects the BlueKeep vulnerability. BlueKeep is detected as RDP/Exploit.CVE-2019-0708 by ESET’s Network Attack Protection module, which is an extension of ESET’s firewall technology present in ESET Internet Security and ESET Smart Security Premium for consumers, and ESET’s endpoint protection programs for businesses.
It should be noted, though, that there are scenarios where detection may not occur, such as the exploit first crashing the system because it is unreliable. In order for it to be more effective, it would need to be paired with another exploit, such as an information disclosure vulnerability that reveals kernel memory addresses so that they no longer need to be guessed. This could reduce the amount of crashes, as the current exploit performs such a large heap spray.
If you are using security software from another vendor, check with them to see if BlueKeep is detected and how.
Keep in mind, these steps represent only the beginning of what you can do to protect against RDP attacks. While having detection for attacks is a good start, it is not a substitute for patching or replacing vulnerable computers. Your information security staff and trusted security partners can provide you with additional guidance specific to your environment.
ESET has released a free BlueKeep (CVE-2019-0708) tool to check if a computer running Windows is vulnerable to exploitation. As of the time of publication, the tool can be downloaded from:
(Be sure to check ESET’s Tools and Utilities page for newer versions)
This program has been tested against 32-bit and 64-bit versions of Windows XP, Windows Vista, Windows Server 2003, Windows Server 2003 R2, Windows Server 2008 and Windows Server 2008 R2 before and after applying Microsoft’s updates for BlueKeep. To use the program, run the executable. There are no command-line arguments for use with the initial release.
When run, the program will report if the system is vulnerable to exploitation, if the system is patched against exploitation, or if the system is not vulnerable to BlueKeep exploitation. In the event the system is vulnerable, the tool will take the user to the web page to download the appropriate patch on Microsoft’s web site.
While this is a single-purpose tool intended for personal use and is not intended to be deployed for mass use in an automated environment, it does have limited error reporting. For scripting, the tool returns an ERRORLEVEL of zero if the system is protected, and one if it is vulnerable or an error has occurred.
While BlueKeep exploitation may never become widespread, its inclusion in pentesting tools means that it will become a permanent part of in-house security tests. So, the real solution to preventing BlueKeep exploitation is to remove vulnerable devices from your company’s network.
However, it may not always be possible to do so because a vulnerable device occupies a critical role in the business, because of cost, or for other reasons. We have long advocated taking a layered approach to security, and protecting against BlueKeep is no exception. In fact, some of the steps outlined above, for example, installing a 2FA application such as ESET Secure Authentication , may help secure your networks from intruders and other threats as well.
Further information about RDP and BlueKeep can be found at:
Special thanks to my colleagues Alexis Dorais-Joncas, Bruce P. Burrell, Michal F., Nick FitzGerald, Branislav O., Matúš P., Peter R., Peter Stančík, Štefan S., and other colleagues from ESET for their assistance with this article.
Are you still using computers vulnerable to BlueKeep? Did ESET’s BlueKeep (CVE-2019-0708) vulnerability checker help? If so, what steps have you taken to mitigate exploitation? Be sure to let us know, below!
There was never a time when exposing RDP to the internet was a good idea.
Even back when NT4 was still a big deal best practice put RDP behind a VPN.
Well that is BS..NT4 did not have RDP
*Hitches up onion belt*Windows NT 4.0 Terminal Server Edition absolutely had what would go on to be called RDP later. It was released in 1998.
My firewall blocks any inbound traffic from unconfigured ports. Hitting any unconfigured port automatically gets them on a blocked sites list for several hours. Port scans would take hundreds of years as there are very few open inbound ports. So yes, this is locked down. Also, you must hit the correct IP address. Not all of my addresses have RDP. Hitting the wrong IP address also gets the offender on a blocked sites list for several hours. Think about it. The offender must hit the correct inbound RDP port the first time and hit the correct IP address the first time, it they guess wrong they can’t try again for several hours. This puts the odds of finding out which port I am using pretty slim. At least difficult enough to look for a softer target. Maybe your address
Hello,
Any adversary beyond the level of a novice (e.g., the kind you have to worry about causing loss to your business) is going to use a distributed port scan from thousands or tens of thousands of computers which themselves have been compromised in order to avoid the ban hammer (anti-port scanning techniques, fail2ban, whatever). Activities such as these are highly automated, and rarely take more than 2-3 days to complete.
It really is just not a good idea to have RDP exposed to the internet, or any other remote control technology for that matter.
Keep in mind that anyone approaching such an attack from a professional perspective is going to be keeping abreast of the same technologies that defenders create and people use, they have budgets, and also have managers that expect results. Your adversary may not be that different from you in that respect.
While setting up a VPN for the first time is tedious, it’s best to remember that doing so provides an additional security control. Secure your network problem, and let them go after the next target, which may be softer and more attractive to them.
Regards,
Aryeh Goretsky
It is not written in stone that you must use port 3389 for RDP. It only took a custom rule on our firewall, an edit to the Windows firewall, and a colon and new port number after the RDP server address on the RDP client. I chose a port that isn’t used, there are hundreds of them. Our firewall blocks any connections to port 3389 and puts the offender on a blocked sites list. Our road warriors can still use RDP, only on a new port. Problem solved. I can’t believe nobody else is doing this.
The hubris of system admins never ceases to amaze me. The method you outline has been around forever. Its “security through obscurity” method and is not safe in the least. There are 65,535 ports, so yes, there’s thousands unused. But a port scanner will go through them quickly and “try” Popular application connections on them. It will take them some time, but they’ll find it eventually.
If you must open rdp then do it once they are on vpn. If you have “road warrior” employees then you should have an “always on” VPN, which you can do for free with Windows server
No one is doing that because it’s beyond foolish.
You don’t use the same machine for the scan as you do the attack.
Go setup a proper two factor VPN.
Agree, I also use the common 3389 port as a “honeypot” and put all IP addresses that tries to connect to it in a firewall’s black list, those who really want to connect will use a different port.
yes…time is time…:security….
trusted cvv shop 2018 centralshop cvv shop