RDP vulnerabilities; TLP: GREEN
– ———————-Alert—————————–
Active exploitation of RDP vulnerabilities have been reported. The RDP
vulnerabilities exploited by attacker are BlueKeep (CVE-2019-0708) and
DejaBlue (CVE-2019-1222, CVE 2019-1226, CVE-2019-1181 and CVE-2019-1182),
both of which patch are already released by Microsoft. This vulnerability
is pre-authentication and requires no user interaction. Once attacker
successfully exploit this vulnerability, it can do any tasks on victim
machine like execution of arbitrary code , install programs, view, change
or delete data or create new accounts with full user right. The difference
between BlueKeep and DejaBlue is that Bluekeep effects windows 7 and older
while DejaBlue effects Windows 10 to version 1903 and up to Windows Server
2019. However both of these vulnerability is wormable, as malware can
propagate from one vulnerable system to another vulnerable system via
exploiting this vulnerability. The detail of the system version impacted by
above vulnerability is provided as below:-
•Windows 10 for 32-bit Systems
•Windows 10 for x64-based Systems
•Windows 10 Version 1607 for 32-bit Systems
•Windows 10 Version 1607 for x64-based Systems
•Windows 10 Version 1703 for 32-bit Systems
•Windows 10 Version 1703 for x64-based Systems
•Windows 10 Version 1709 for 32-bit Systems
•Windows 10 Version 1709 for 64-based Systems
•Windows 10 Version 1903 for 32-bit Systems
•Windows 10 Version 1903 for ARM64-based Systems
•Windows 10 Version 1903 for x64-based Systems
•Windows 7 for 32-bit Systems Service Pack 1
•Windows 7 for x64-based Systems Service Pack 1
•Windows 8.1 for 32-bit systems
•Windows 8.1 for x64-based systems
•Windows RT 8.1
•Windows Server 2008 R2 for Itanium Based Systems Service Pack 1
•Windows Server 2008 R2 for x64- based Systems Service Pack 1
•Windows Server 2008 R2 for x64- based Systems Service Pack 1 (Server
Core installation)
•Windows Server 2012
•Windows Server 2012 (Server Core installation)
•Windows Server 2012 R2
•Windows Server 2012 R2 (Server Core installation)
•Windows Server 2016
•Windows Server 2016 (Server Core installation)
•Windows Server 2019
•Windows Server 2019 (Server Core installation)
•Windows Server, version 1803 (Server Core Installation)
•Windows Server, version 1903 (Server Core installation)
The IOC associated with above vulnerabilities is listed for your action
side.
**********IOC Start************
•360safe[.]com
•7azrael[.]github[.]io
•7dc5fb4e[.]ngrok[.]io
•89[.]net
•9d842cb6[.]ngrok[.]io
•addthis[.]com
•align[.]com
•args[.]host
•asciinema[.]org
•attacks[.]read
•bensound[.]com
•beyondbinary[.]io
•bitly[.]com
•bizmac[.]com[.]vn
•blognone[.]com
•bluekeep[.]read
•buyexploit[.]com
•cam[.]ac[.]uk
•carestream[.]com
•cjjkkk[.]github[.]io
•coderzgh[.]github[.]io
•com[.]github[.]io
•configure[.]ac
•cronup[.]com
•cve-2019-0708[.]info
•draeger[.]com
•dute56[.]com
•enoctus[.]com
•example[.]com
•exploitation[.]read
•gitee[.]com
•glotozz[.]github[.]io
•hatelabo[.]jp
•hohenpoelz[.]de
•homelandsecuritytoday[.]us
•howlermonkey[.]io
•href[.]li
•incident[.]sk
•ip-51-89-6[.]eu
•jianshu[.]io
•js[.]id
•jsdelivr[.]com
•jsdelivr[.]net
•kennasecurity[.]com
•lanzous[.]com
•litedownloadseek[.]cn
•lsablog[.]com
•mad-coding[.]cn
•makefile[.]in
•microsoft[.]co
•minghc[.]github[.]io
•mynavi[.]jp
•netbynet[.]ru
•nosec[.]org
•onion[.]to
•optonline[.]net
•pa55w0rd[.]club
•pa55w0rd[.]online
•qhimg[.]com
•qianxin[.]com
•qiita[.]com
•que[.]com
•raffaelechiatto[.]com
•rdpexploit[.]com
•rock-thevirtual[.]com
•rootkits[.]xyz
•satoshidisk[.]com
•secpulse[.]com
•securitytrails[.]com
•setup[.]sh
•sh1yan[.]top
•shiyan[.]top
•snikt[.]net
•socprime[.]com
•sourcerer[.]io
•spar[.]hu
•ssi[.]gouv[.]fr
•swimlane[.]com
•thesecure[.]biz
•triskelelabs[.]com
•update[.]microsoft
•vkxss[.]top
•vulmon[.]com
•wazehell[.]io
•weblcx[.]com
•wooyun[.]js[.]org
•yoursite[.]com
*********IOC End*******************
Best Practise and Recommendations
•Disable Remote Desktop Services on public facing devices, if they are
not required. Disabling the service which is no longer is use.
•Enable Network Level Authentication (NLA) on systems running supported
editions of Windows 7, Windows Server 2008, and Windows Server 2008 R2.
With NLA turned on, an attacker would first need to authenticate to Remote
Desktop Services using a valid account on the target system before the
attacker could exploit the vulnerability.
•Block TCP port 3389 at the enterprise perimeter firewall where
necessary. TCP port 3389 is used to initiate a connection with the affected
component. Blocking this port at the network perimeter firewall will help
protect systems that are behind that firewall from attempts to exploit this
vulnerability. This can help protect networks from attacks that originate
outside the enterprise perimeter. However, systems could still be
vulnerable to attacks from within their enterprise perimeter.
•Conduct an updated RDP-enabled inventory in order to determine how many
systems are vulnerable which will helpful in applying patches released by
Microsoft. The patch for above vulnerabilities can be downloaded from below
link
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019
– -0708
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019
– -1222
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019
– -1226
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019
– -1182
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019
– -1181
Leave a Reply