www.f-secure.com
Open in
urlscan Pro
2a02:26f0:6c00:18c::1361
Public Scan
URL:
https://www.f-secure.com/en/consulting/our-thinking/advisory-cve-2019-0708-bluekeep
Submission: On November 12 via manual from GG
Submission: On November 12 via manual from GG
Form analysis
2 forms found in the DOM<form class="site-search js-search" role="search">
<input class="site-search__field js-search__field addsearch" name="q" placeholder="Search" type="search" data-addsearch-field="true" autocomplete="off" style="cursor: auto;">
<button class="site-search__button js-search__button" type="submit">
<i class="site-search__icon fsg-icon icon-search" aria-hidden="true"></i>
</button>
</form>
Name: 2019-09-16_Subscription_Consulting_GL — POST https://profiling.f-secure.com/e/f2
<form id="1309" class="eloquaform" name="2019-09-16_Subscription_Consulting_GL" action="https://profiling.f-secure.com/e/f2" method="post">
<div class="hidden">
<input type="hidden" name="elqFormName" value="2019-09-16_Subscription_Consulting_GL">
<input type="hidden" name="elqSiteID" value="2484">
<input type="hidden" name="elqCampaignId">
<input type="hidden" name="sFDCLeadSource1" value="Online">
<input type="hidden" name="leadSourceMostRecent">
<input type="hidden" name="leadSourceMostRecentChannel1">
<input type="hidden" name="sFDCSentToPartnerAccount1">
<input type="hidden" name="querySource" value="">
<input type="hidden" name="referralSource" value="">
<input type="hidden" name="checkUser" value="ok">
<input type="hidden" name="SalesCallRequested" value="No">
<input type="hidden" name="leadSourceMostRecentForm1" value="PW Consulting Subscription Global 1309">
<input type="hidden" name="redirectUrl" value="https://www.f-secure.com/en/consulting/our-thinking/advisory-cve-2019-0708-bluekeep?m=1309-thankyou">
<input type="hidden" name="language" value="English">
<input type="hidden" name="leadSourceOriginal" value="9899">
<input type="hidden" name="version" value="en">
<input type="hidden" name="leadSourceContext1" value="MQL Newsletter subscription">
</div>
<input type="hidden" name="interestAreasBlogNewsletter1" value="Consulting insights and research">
<div class="form-group">
<input type="email" name="emailAddress" class="form-control" required="" data-error="Please, enter a valid email address">
<label for="emailAddress">Business Email *</label>
</div>
<div class="text-center">
<button type="submit" alt="Submit" class="btn btn-blue m-t-2" data-track-name="Submit form" data-track-event="soft conversion"> Subscribe </button>
</div>
</form>
Text Content
JavaScript is disabled in your web browser For full functionality of this site it is necessary to enable JavaScript. Instructions how to enable JavaScript in your web browser. CHOOSE YOUR COUNTRY * Global * België * Belgique * Brasil * Danmark * Deutschland * España * France * Italia * Nederland * Norge * Polska * Suomi * Sverige * United Kingdom * United States * 日本 * For home * For business * For partners * Consulting * Who we are * Our thinking * Our People * Training Training * F-Secure Playground on-demand * Proactive Web Defense * Proactive Network Defense * Proactive First Response * Proactive Mobile Defense * Capture the Flag events * Foundry * Events * Contact * My F-Secure Global ARTICLE ADVISORY: OBSERVED MALICIOUS ACTIVITY USING CVE-2019-0708 (BLUEKEEP) November 5 2019 10 mins read F-SECURE IS AWARE OF REPORTS, BOTH PUBLIC AND PRIVATE, RELATING TO A NEW MALWARE STRAIN WHICH IS A WEAPONIZED IMPLEMENTATION OF THE CVE-2019-0708 VULNERABILITY – COMMONLY KNOWN AS BLUEKEEP. THE EXISTENCE OF MALWARE EXPLOITING THE BLUEKEEP VULNERABILITY RAISES THE RISK OF EXPLOITATION ACROSS ALL ORGANIZATIONS, IRRESPECTIVE OF THEIR NORMAL THREAT PROFILE. The malware, implemented as a ‘worm’, would result in malicious access and exploitation of systems. While the vulnerability has thus far proven unstable, this fact may lead to denial of service for such systems through a fatal system error resulting in a "blue screen of death" (BSOD). Based on reported activity, some compromised systems show artefacts similar to those found when the MetaSploit exploit framework module is used.[1] Additionally, crypto-miners and ransomware malware has also been reported as secondary infections.[2] If unmanaged, the abuse of the exploit could have consequences not dissimilar to the WannaCry malware attack in 2017, which cost the NHS alone £92m. The comparison is not without merit; the last time Microsoft issued a security update for out-of-support operating systems was during the period WannaCry infections were at their peak. BlueKeep exploits utilize Remote Desktop Services (RDS), and can affect Microsoft Windows Vista, Windows 7, Windows XP, Server 2003, and Server 2008 operating systems. Microsoft released a patch in May, but it is not known how many users are still vulnerable (unpatched) or may have been compromised. This is of particular concern for systems where Windows Embedded is deployed, as many of these more esoteric systems are less frequently updated and therefore more at risk. This advisory is designed to help readers make an informed decision about the next steps to take. TECHNICAL DETAILS At the time of writing, exploits have only been released publicly for the 64-bit versions of Windows 7 and Windows Server 2008 R2. However, reliable exploits for other vulnerable versions of Windows, such as Windows XP, Server 2003, Vista, and Server 2008 could be in use by malicious threat actors. The exploit can execute – unauthenticated – against systems and be made 'wormable' due to Remote Desktop Services, allowing data channels to be established before authentication. In practice, this enables it to infect other vulnerable systems automatically. One workaround is to implement Network Level Authentication (NLA). This would limit the exploit’s reach to systems of which an attacker has valid credentials.[3] In the case of an attacker having valid credentials, patching the vulnerable systems, and/or blocking access to the RDP port (TCP 3389), would be the only other mitigations available for implementation to protect against the attacks. RECOMMENDED NEXT STEPS 1) HOW TO ASSESS WHETHER YOUR SYSTEMS ARE VULNERABLE: * Confirm if the Microsoft hotfix for CVE-2019-0708 has been installed on systems. The relevant Knowledge Base article numbers can be found on Microsoft's security vulnerability pages for affected systems.[4][5] * Up-to-date reports of both external and internal vulnerability scans would give the broadest overview of vulnerable systems, and can highlight systems to which priority should be given. 2) HOW TO DETERMINE IF YOU HAVE BEEN COMPROMISED: This is more difficult to answer, in that signs of compromise can vary depending on the goal of the attacker. An up-to-date anti-virus solution will catch any known malicious payloads deployed onto the target systems, such as crypto-miners and ransomware strains. However, any binaries with unknown signatures will likely stay under the radar and avoid detection for an indeterminate amount of time. Endpoint Detection and Response (EDR) solutions may be able to detect child process creation related to the execution of the exploit's payload, as can be seen in Kevin Beaumont's article[1] detailing his findings. The telemetry used to determine the cause of the system instability was related to a remote thread injection into Windows' 'spoolsv.exe' process, which is the default process used in the Metasploit implementation. EDR solutions should also be able to detect malicious code injected into processes, increasing the probability of detecting a compromise. In addition to the above, watching for occurrences of unexpected PowerShell executions and the generation of logs relating to persistence mechanisms – such as scheduled task creation, or new services being created – may be indicators of compromise. It is important to note that the indicators of compromise will change based on the goal of the attacker. Most known attacks executed up to this point appear to have been used for the deployment of crypto-miners or ransomware. However, threat actors whose goals include accessing the internal workings of networks will avoid utilizing methods likely to generate common alerts. As a result, systems compromised by these groups will remain undetected unless signs of compromise are actively being sought. If you think you may have been compromised, email us at cir@f-secure.com, using this PGP Public Key. FURTHER READING [1] https://doublepulsar.com/bluekeep-exploitation-activity-seen-in-the-wild-bd6ee6e599a6 [2] https://www.kryptoslogic.com/blog/2019/11/bluekeep-cve-2019-0708-exploitation-spotted-in-the-wild/ [3] https://www.microsoft.com/security/blog/2019/08/08/protect-against-bluekeep/ [4] https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708 [5] https://support.microsoft.com/en-za/help/4500705/customer-guidance-for-cve-2019-0708 SIGN UP FOR THE LATEST INSIGHTS Business Email * Subscribe THANK YOU FOR YOUR INTEREST Thank you for your interest in our newsletters. You will receive an email shortly to confirm your subscription. Share ACCREDITATIONS & CERTIFICATES F-Secure Consulting is a value-added supplier and have a B-BBEE procurement recognition level of 100%. Learn more FOLLOW US @fsecure_consult F-Secure-Consulting /fsecurelabs X $H2 $hl X For home * Products * Download * Buy or renew For business * Solutions * Downloads * Contact sales For partners * Business channel partners * Consumer channel partners * Operators Consulting * Who we are * Our thinking * Events -------------------------------------------------------------------------------- About * News * Investors * Careers * Offices Labs * Articles * Tools * Advisories Support * Knowledge base * Community * Submit a sample * Support for Home * Support for Business Blog * F-Secure Blog Global -------------------------------------------------------------------------------- * © F-Secure 2019 * Terms of service * Privacy policy * Contact × WELCOME TO F‑SECURE.COM We use cookies to improve your experience on this and other websites. Cookies are text files stored by your browser. They contain information that helps us tailor the content you see on F‑Secure pages, aggregate statistics of site usage and performance, and offer more relevant advertisements of our products and services elsewhere on the web. Accepting all cookies provides you with a better user experience. By using F‑Secure websites, you accept the use of cookies. You may also adjust your settings to disable certain optional cookies. Change settings Accept all COOKIE SETTINGS FUNCTIONAL COOKIES ALWAYS ON These cookies are required for our website to work properly or by regulations that apply to us, and cannot be turned off. Among other things, they take care of secure login sessions to the My F‑Secure service, storing your country of origin, and remembering the cookie preferences you select. PERFORMANCE COOKIES ALWAYS ON These cookies help us collect statistics of how you and other customers use our website. We always look at aggregate data, and nothing about you, personally, is stored. Performance cookies also allow us to run A/B tests on our site and tailor its content based on your device type, for example. PERSONALISATION COOKIES ON OFF These cookies help us personalise the content and offers we provide to you, based on your usage of our website and other digital platforms. This ensures we can always offer you the content and information that benefits you the most. MARKETING COOKIES ON OFF These cookies are mostly set by advertisement platform providers such as Google or Facebook. They help us decipher, based on your actions on our site, which of our products, services, and offers are the most relevant for you. We use this data to tailor the ads you see on other websites. F‑Secure website privacy policy « Back Save and exit