www.f-secure.com
Open in
urlscan Pro
2a02:26f0:6c00:18c::1361
Public Scan
URL:
https://www.f-secure.com/en/consulting/our-thinking/advisory-cve-2019-0708-bluekeep
Submission: On November 12 via manual from GG
Submission: On November 12 via manual from GG
Form analysis 2 forms found in the DOM
<form class="site-search js-search" role="search">
<input class="site-search__field js-search__field addsearch" name="q" placeholder="Search" type="search" data-addsearch-field="true" autocomplete="off" style="cursor: auto;">
<button class="site-search__button js-search__button" type="submit">
<i class="site-search__icon fsg-icon icon-search" aria-hidden="true"></i>
</button>
</form>Name: 2019-09-16_Subscription_Consulting_GL — POST https://profiling.f-secure.com/e/f2
<form id="1309" class="eloquaform" name="2019-09-16_Subscription_Consulting_GL" action="https://profiling.f-secure.com/e/f2" method="post">
<div class="hidden">
<input type="hidden" name="elqFormName" value="2019-09-16_Subscription_Consulting_GL">
<input type="hidden" name="elqSiteID" value="2484">
<input type="hidden" name="elqCampaignId">
<input type="hidden" name="sFDCLeadSource1" value="Online">
<input type="hidden" name="leadSourceMostRecent">
<input type="hidden" name="leadSourceMostRecentChannel1">
<input type="hidden" name="sFDCSentToPartnerAccount1">
<input type="hidden" name="querySource" value="">
<input type="hidden" name="referralSource" value="">
<input type="hidden" name="checkUser" value="ok">
<input type="hidden" name="SalesCallRequested" value="No">
<input type="hidden" name="leadSourceMostRecentForm1" value="PW Consulting Subscription Global 1309">
<input type="hidden" name="redirectUrl" value="https://www.f-secure.com/en/consulting/our-thinking/advisory-cve-2019-0708-bluekeep?m=1309-thankyou">
<input type="hidden" name="language" value="English">
<input type="hidden" name="leadSourceOriginal" value="9899">
<input type="hidden" name="version" value="en">
<input type="hidden" name="leadSourceContext1" value="MQL Newsletter subscription">
</div>
<input type="hidden" name="interestAreasBlogNewsletter1" value="Consulting insights and research">
<div class="form-group">
<input type="email" name="emailAddress" class="form-control" required="" data-error="Please, enter a valid email address">
<label for="emailAddress">Business Email *</label>
</div>
<div class="text-center">
<button type="submit" alt="Submit" class="btn btn-blue m-t-2" data-track-name="Submit form" data-track-event="soft conversion"> Subscribe </button>
</div>
</form>Text Content
JavaScript is disabled in your web browser
For full functionality of this site it is necessary to enable JavaScript.
Instructions how to enable JavaScript in your web browser.
CHOOSE YOUR COUNTRY
* Global
* België
* Belgique
* Brasil
* Danmark
* Deutschland
* España
* France
* Italia
* Nederland
* Norge
* Polska
* Suomi
* Sverige
* United Kingdom
* United States
* 日本
* For home
* For business
* For partners
* Consulting
* Who we are
* Our thinking
* Our People
* Training Training
* F-Secure Playground on-demand
* Proactive Web Defense
* Proactive Network Defense
* Proactive First Response
* Proactive Mobile Defense
* Capture the Flag events
* Foundry
* Events
* Contact
* My F-Secure
Global
ARTICLE
ADVISORY: OBSERVED MALICIOUS ACTIVITY USING CVE-2019-0708 (BLUEKEEP)
November 5 2019
10 mins read
F-SECURE IS AWARE OF REPORTS, BOTH PUBLIC AND PRIVATE, RELATING TO A NEW MALWARE
STRAIN WHICH IS A WEAPONIZED IMPLEMENTATION OF THE CVE-2019-0708 VULNERABILITY –
COMMONLY KNOWN AS BLUEKEEP. THE EXISTENCE OF MALWARE EXPLOITING THE BLUEKEEP
VULNERABILITY RAISES THE RISK OF EXPLOITATION ACROSS ALL ORGANIZATIONS,
IRRESPECTIVE OF THEIR NORMAL THREAT PROFILE.
The malware, implemented as a ‘worm’, would result in malicious access and
exploitation of systems. While the vulnerability has thus far
proven unstable, this fact may lead to denial of service for such systems
through a fatal system error resulting in a "blue screen of death" (BSOD). Based
on reported activity, some compromised systems show artefacts similar
to those found when the MetaSploit exploit framework module
is used.[1] Additionally, crypto-miners and ransomware malware has also been
reported as secondary infections.[2]
If unmanaged, the abuse of the exploit could have consequences not dissimilar to
the WannaCry malware attack in 2017, which cost the NHS alone £92m. The
comparison is not without merit; the last time Microsoft issued a security
update for out-of-support operating systems was during the period WannaCry
infections were at their peak.
BlueKeep exploits utilize Remote Desktop Services (RDS), and can affect
Microsoft Windows Vista, Windows 7, Windows XP, Server 2003, and Server 2008
operating systems. Microsoft released a patch in May, but it is not known how
many users are still vulnerable (unpatched) or may have been compromised. This
is of particular concern for systems where Windows Embedded is deployed, as many
of these more esoteric systems are less frequently updated and therefore more at
risk.
This advisory is designed to help readers make an informed decision about the
next steps to take.
TECHNICAL DETAILS
At the time of writing, exploits have only been released publicly for the 64-bit
versions of Windows 7 and Windows Server 2008 R2. However, reliable exploits for
other vulnerable versions of Windows, such as Windows XP, Server 2003, Vista,
and Server 2008 could be in use by malicious threat actors.
The exploit can execute – unauthenticated – against systems and be made
'wormable' due to Remote Desktop Services, allowing data channels to be
established before authentication. In practice, this enables it to infect other
vulnerable systems automatically.
One workaround is to implement Network Level Authentication (NLA). This would
limit the exploit’s reach to systems of which an attacker has valid
credentials.[3] In the case of an attacker having valid credentials, patching
the vulnerable systems, and/or blocking access to the RDP port (TCP 3389), would
be the only other mitigations available for implementation to protect against
the attacks.
RECOMMENDED NEXT STEPS
1) HOW TO ASSESS WHETHER YOUR SYSTEMS ARE VULNERABLE:
* Confirm if the Microsoft hotfix for CVE-2019-0708 has been installed on
systems. The relevant Knowledge Base article numbers can be found on
Microsoft's security vulnerability pages for affected systems.[4][5]
* Up-to-date reports of both external and internal vulnerability scans would
give the broadest overview of vulnerable systems, and can highlight systems
to which priority should be given.
2) HOW TO DETERMINE IF YOU HAVE BEEN COMPROMISED:
This is more difficult to answer, in that signs of compromise can vary depending
on the goal of the attacker. An up-to-date anti-virus solution will catch any
known malicious payloads deployed onto the target systems, such as crypto-miners
and ransomware strains. However, any binaries with unknown signatures will
likely stay under the radar and avoid detection for an indeterminate amount of
time.
Endpoint Detection and Response (EDR) solutions may be able to detect child
process creation related to the execution of the exploit's payload, as can be
seen in Kevin Beaumont's article[1] detailing his findings. The telemetry used
to determine the cause of the system instability was related to a remote thread
injection into Windows' 'spoolsv.exe' process, which is the default process used
in the Metasploit implementation. EDR solutions should also be able to detect
malicious code injected into processes, increasing the probability of detecting
a compromise.
In addition to the above, watching for occurrences of unexpected PowerShell
executions and the generation of logs relating to persistence mechanisms – such
as scheduled task creation, or new services being created – may be indicators of
compromise.
It is important to note that the indicators of compromise will change based on
the goal of the attacker. Most known attacks executed up to this point appear to
have been used for the deployment of crypto-miners or ransomware. However,
threat actors whose goals include accessing the internal workings of networks
will avoid utilizing methods likely to generate common alerts. As a result,
systems compromised by these groups will remain undetected unless signs of
compromise are actively being sought.
If you think you may have been compromised, email us
at cir@f-secure.com, using this PGP Public Key.
FURTHER READING
[1] https://doublepulsar.com/bluekeep-exploitation-activity-seen-in-the-wild-bd6ee6e599a6
[2] https://www.kryptoslogic.com/blog/2019/11/bluekeep-cve-2019-0708-exploitation-spotted-in-the-wild/
[3] https://www.microsoft.com/security/blog/2019/08/08/protect-against-bluekeep/
[4] https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708
[5] https://support.microsoft.com/en-za/help/4500705/customer-guidance-for-cve-2019-0708
SIGN UP FOR THE LATEST INSIGHTS
Business Email *
Subscribe
THANK YOU FOR YOUR INTEREST
Thank you for your interest in our newsletters. You will receive an email
shortly to confirm your subscription.
Share
ACCREDITATIONS & CERTIFICATES
F-Secure Consulting is a value-added supplier and have a B-BBEE procurement
recognition level of 100%. Learn more
FOLLOW US
@fsecure_consult F-Secure-Consulting /fsecurelabs
X
$H2
$hl
X
For home
* Products
* Download
* Buy or renew
For business
* Solutions
* Downloads
* Contact sales
For partners
* Business channel partners
* Consumer channel partners
* Operators
Consulting
* Who we are
* Our thinking
* Events
--------------------------------------------------------------------------------
About
* News
* Investors
* Careers
* Offices
Labs
* Articles
* Tools
* Advisories
Support
* Knowledge base
* Community
* Submit a sample
* Support for Home
* Support for Business
Blog
* F-Secure Blog
Global
--------------------------------------------------------------------------------
* © F-Secure 2019
* Terms of service
* Privacy policy
* Contact
×
WELCOME TO F‑SECURE.COM
We use cookies to improve your experience on this and other websites. Cookies
are text files stored by your browser. They contain information that helps us
tailor the content you see on F‑Secure pages, aggregate statistics of site usage
and performance, and offer more relevant advertisements of our products and
services elsewhere on the web. Accepting all cookies provides you with a better
user experience. By using F‑Secure websites, you accept the use of cookies. You
may also adjust your settings to disable certain optional cookies.
Change settings Accept all
COOKIE SETTINGS
FUNCTIONAL COOKIES
ALWAYS ON
These cookies are required for our website to work properly or by regulations
that apply to us, and cannot be turned off. Among other things, they take care
of secure login sessions to the My F‑Secure service, storing your country of
origin, and remembering the cookie preferences you select.
PERFORMANCE COOKIES
ALWAYS ON
These cookies help us collect statistics of how you and other customers use our
website. We always look at aggregate data, and nothing about you, personally, is
stored. Performance cookies also allow us to run A/B tests on our site and
tailor its content based on your device type, for example.
PERSONALISATION COOKIES
ON OFF
These cookies help us personalise the content and offers we provide to you,
based on your usage of our website and other digital platforms. This ensures we
can always offer you the content and information that benefits you the most.
MARKETING COOKIES
ON OFF
These cookies are mostly set by advertisement platform providers such as Google
or Facebook. They help us decipher, based on your actions on our site, which of
our products, services, and offers are the most relevant for you. We use this
data to tailor the ads you see on other websites.
F‑Secure website privacy policy
« Back Save and exit