There was a critical exploit that was announced about two month ago. The exploit (CVE-2019-0708) is a remote wormable vulnerability in Microsoft’s RDP known as BlueKeep. This means that people with RDP services running need to patch their systems as soon as possible, unless there will be attackers trying to gain access to your networks. For a list of affected products and the security patch needed to remedy this exploit can be found here.
Normally, RDP servers are only secured by simply a username and password, which could cracked easily with brute force or password cracking tools like mimikatz. Once cracked, the attacker has the ability to execute arbitrary code on the target system. Also, the attacker would have the ability to install programs; view, change, or delete data; or create new accounts with full user rights. This exploit is giving me nightmares tonight!
In order to exploit this vulnerability, an attacker will need to send special requests to the target systems Remote Desktop Service via RDP. Here is a link to an example implementation of Microsoft Windows Remote Desktop BlueKeep Denial of Service: click here and here. I am not responsible for what you use this to accomplish and should only be used for education purposes.
Some possible mitigation practices is to disable Remote Desktop Services if they are not required. Disabling unused and unneeded services help reduce exposure to security vulnerabilities. Another option is to enable Network Level Authentication (NLA) on systems running supported editions of Windows 7, Windows Server 2008, and Windows Server 2008 R2. The last option is to block or only allow certain host to go through TCP port 3389 (for RDP) at the enterprise perimeter firewall.
- RDP exposed: the wolves already at your door
- Update Now! Critical, remote, wormable Windows vulnerability