TTCSIRT-241.110419: TT-CSIRT ADVISORY – BLUEKEEP ACTIVE EXPLOITATION
There are confirmed reports that the BlueKeep RDP flaw in Windows based systems is now being actively exploited in the wild. BlueKeep (CVE-2019-0708) is a security vulnerability that was discovered in Microsoft’s Remote Desktop Protocol implementation, which allows for the possibility of remote code execution. BlueKeep has the potential to cause significant damage like the WannaCry and NotPetya outbreaks of previous years.
TTCSIRT strongly recommends that administrators update all Windows based systems immediately. Microsoft released a security patch for this vulnerability in May 2019. If applying the security patch in your organization is not immediately possible, then you can take these mitigations:
- Disable RDP services, if not required.
- Block port 3389 using a firewall or make it accessible only over a private VPN.
- Enable Network Level Authentication (NLA) – this is partial mitigation to prevent any unauthenticated attacker from exploiting this Wormable flaw.