RDP vulnerabilities; TLP: GREEN

RDP vulnerabilities; TLP: GREEN

– ———————-Alert—————————–

Active exploitation of RDP vulnerabilities have been reported. The RDP

vulnerabilities exploited by attacker are BlueKeep (CVE-2019-0708) and

DejaBlue (CVE-2019-1222, CVE 2019-1226, CVE-2019-1181 and CVE-2019-1182),

both of which patch are already released by Microsoft. This vulnerability

is pre-authentication and requires no user interaction. Once attacker

successfully exploit this vulnerability, it can do any tasks on victim

machine like execution of arbitrary code , install programs, view, change

or delete data  or create new accounts with full user right. The difference

between BlueKeep and DejaBlue is that Bluekeep effects windows 7 and older

while DejaBlue effects Windows 10 to version 1903 and up to Windows Server

2019. However both of these vulnerability is wormable, as malware can

propagate from one vulnerable system to another vulnerable system via

exploiting this vulnerability. The detail of the system version impacted by

above vulnerability is provided as below:-

•Windows 10 for 32-bit Systems

•Windows 10 for x64-based Systems

•Windows 10 Version 1607 for 32-bit Systems

•Windows 10 Version 1607 for x64-based Systems

•Windows 10 Version 1703 for 32-bit Systems

•Windows 10 Version 1703 for x64-based Systems

•Windows 10 Version 1709 for 32-bit Systems

•Windows 10 Version 1709 for 64-based Systems

•Windows 10 Version 1903 for 32-bit Systems

•Windows 10 Version 1903 for ARM64-based Systems

•Windows 10 Version 1903 for x64-based Systems

•Windows 7 for 32-bit Systems Service Pack 1

•Windows 7 for x64-based Systems Service Pack 1

•Windows 8.1 for 32-bit systems

•Windows 8.1 for x64-based systems

•Windows RT 8.1

•Windows Server 2008 R2 for Itanium Based Systems Service Pack 1

•Windows Server 2008 R2 for x64- based Systems Service Pack 1

•Windows Server 2008 R2 for x64- based Systems Service Pack 1 (Server

Core installation)

•Windows Server 2012

•Windows Server 2012 (Server Core installation)

•Windows Server 2012 R2

•Windows Server 2012 R2 (Server Core installation)

•Windows Server 2016

•Windows Server 2016 (Server Core installation)

•Windows Server 2019

•Windows Server 2019 (Server Core installation)

•Windows Server, version 1803 (Server Core Installation)

•Windows Server, version 1903 (Server Core installation)

The IOC associated with above vulnerabilities is listed for your action

side.

**********IOC Start************

•360safe[.]com

•7azrael[.]github[.]io

•7dc5fb4e[.]ngrok[.]io

•89[.]net

•9d842cb6[.]ngrok[.]io

•addthis[.]com

•align[.]com

•args[.]host

•asciinema[.]org

•attacks[.]read

•bensound[.]com

•beyondbinary[.]io

•bitly[.]com

•bizmac[.]com[.]vn

•blognone[.]com

•bluekeep[.]read

•buyexploit[.]com

•cam[.]ac[.]uk

•carestream[.]com

•cjjkkk[.]github[.]io

•coderzgh[.]github[.]io

•com[.]github[.]io

•configure[.]ac

•cronup[.]com

•cve-2019-0708[.]info

•draeger[.]com

•dute56[.]com

•enoctus[.]com

•example[.]com

•exploitation[.]read

•gitee[.]com

•glotozz[.]github[.]io

•hatelabo[.]jp

•hohenpoelz[.]de

•homelandsecuritytoday[.]us

•howlermonkey[.]io

•href[.]li

•incident[.]sk

•ip-51-89-6[.]eu

•jianshu[.]io

•js[.]id

•jsdelivr[.]com

•jsdelivr[.]net

•kennasecurity[.]com

•lanzous[.]com

•litedownloadseek[.]cn

•lsablog[.]com

•mad-coding[.]cn

•makefile[.]in

•microsoft[.]co

•minghc[.]github[.]io

•mynavi[.]jp

•netbynet[.]ru

•nosec[.]org

•onion[.]to

•optonline[.]net

•pa55w0rd[.]club

•pa55w0rd[.]online

•qhimg[.]com

•qianxin[.]com

•qiita[.]com

•que[.]com

•raffaelechiatto[.]com

•rdpexploit[.]com

•rock-thevirtual[.]com

•rootkits[.]xyz

•satoshidisk[.]com

•secpulse[.]com

•securitytrails[.]com

•setup[.]sh

•sh1yan[.]top

•shiyan[.]top

•snikt[.]net

•socprime[.]com

•sourcerer[.]io

•spar[.]hu

•ssi[.]gouv[.]fr

•swimlane[.]com

•thesecure[.]biz

•triskelelabs[.]com

•update[.]microsoft

•vkxss[.]top

•vulmon[.]com

•wazehell[.]io

•weblcx[.]com

•wooyun[.]js[.]org

•yoursite[.]com

*********IOC End*******************

Best Practise and Recommendations

•Disable Remote Desktop Services on public facing devices, if they are

not required. Disabling the service which is no longer is use. 

•Enable Network Level Authentication (NLA) on systems running supported

editions of Windows 7, Windows Server 2008, and Windows Server 2008 R2.

With NLA turned on, an attacker would first need to authenticate to Remote

Desktop Services using a valid account on the target system before the

attacker could exploit the vulnerability.

•Block TCP port 3389 at the enterprise perimeter firewall where

necessary. TCP port 3389 is used to initiate a connection with the affected

component. Blocking this port at the network perimeter firewall will help

protect systems that are behind that firewall from attempts to exploit this

vulnerability. This can help protect networks from attacks that originate

outside the enterprise perimeter. However, systems could still be

vulnerable to attacks from within their enterprise perimeter.

•Conduct an updated RDP-enabled inventory in order to determine how many

systems are vulnerable which will helpful in applying patches released by

Microsoft. The patch for above vulnerabilities can be downloaded from below

link

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019

– -0708

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019

– -1222

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019

– -1226

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019

– -1182

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019

– -1181