Skip to main content


BlueKeep - Tip of The Iceberg for Future Cyber Crime Attacks

BlueKeep - Tip of The Iceberg for Future Cyber Crime Attacks

History teaches us that from his position in the crow’ nest, lookout Fredrick Fleet signed the bridge of RMS Titanic with the fateful words “Iceberg, right ahead!” Cybersecurity experts often illustrate security concepts using “tip of the iceberg” concept to emphasize that an estimated 10% of vulnerabilities are known or visible above the waterline, while the mass of unknown vulnerabilities is laying below the waterline - out of sight and out of mind.  

The May 14th publication of Common Vulnerabilities and Exposure (CVE) 2019-0708 Remote Desktop Services Code Execution Vulnerability also garnered a noteworthy advisory from the U.S. National Security Agency (NSA). Both advisories noted the potential for this vulnerability to be used by self-propagating worms that could replicate an attack similar in scale to the devastating EternalBlue based attacks like NotPetya and WannaCry. Several cybersecurity organizations and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) have confirmed that vulnerable systems are suspectable to remotely executed code.


Devastating Potential for Mayhem

Security experts are sounding the alarms that BlueKeep has the potential to be the most devastating attack of the year. This vulnerability is remarkable for quite a few reasons:

  • Authentication is not required to exploit the vulnerability;
  • Exploitation may lead to the execution of arbitrary (malicious) code;
  • The vulnerability is wormable, meaning that future exploits could spread malware within or outside of a compromised network:
  • The large number of entities allowing Remote Desktop Protocol (RDP), also known as terminal services, to the Internet;
  • The large number of legacy operating systems still in production, including Windows 7 /2008 and Windows XP


Key Early Indictors

Reputable reports are indicating intense scanning activity on the Dark Web related to Windows systems vulnerable to the BlueKeep vulnerability. In other words, potential perpetrators are using automated tools to perform the reconnaissance process to gather information about potential targets. While no active exploitation attempt has yet been reported, several security research firms have reported proofs-of-concept exploitation of BlueKeep. It’s only a matter of time before the bad guys develop the means to exploit the vulnerability in the wild.

Initial reports indicated that nearly 7.6 million systems with RDP Port 3389 open are connected to the Internet; however, researchers have now adjusted the potential exposure number to 950,000. The reduction is due to non-Windows systems with open RDP Port 3389 and an estimated 1.5 million systems responding in a manner associated with a patched system, which is not affected by BlueKeep. Needless to say, the number of systems still vulnerable is substantial. As seen below, anyone can perform a simple search of potential effected RDC systems using the Shodan search engine for Internet-connected devices, which (during this writing) easily identified over 785,000 possible targets with the United States.

Shodan Search Results


Averting a Disaster

Users and administrators should evaluate the Microsoft Security Advisory and the Microsoft Customer Guidance for CVE-2019-0708 and apply the appropriate mitigation as soon as possible:

  • Install available security updates patches from Microsoft. Microsoft took an unusual step by releasing patches for a number of operating systems that are no longer supported (Windows Vista, Windows XP, and Windows Server 2003). As always, test patches prior to installation. For supported version of Windows, update it to the latest OS version. If possible, enable automatic updates. For whatever reason your environment includes unsupported Windows XP or Windows Server 2003 –– download and apply the patches as soon as possible.
  • Upgrading or segment end-of-life operating systems. Consider upgrading any EOL OSs no longer supported by Microsoft. If you can’t upgrade these devices, segment those unsupported operating systems from the rest of your network.
  • Disable unnecessary services such as Remote Desktop Protocol. To minimize your attack surface, RDP should only be enabled on devices where it really is used and needed.
  • Configure RDP properly. If RDP absolutely must be enabled, avoid exposing it to the public Internet. Only devices on the local area network, or accessing via a Virtual Private Network, should be able to establish a remote session. Another option is to filter RDP access using a firewall, whitelisting only a specific IP range. The security of your remote sessions can be further improved by using multi-factor authentication.
  • Reliable multi-factor security solution. Remote sessions can be further secured by using multi-factor authentication.
  • Enable Network Level Authentication. BlueKeep can be partially mitigated by having NLA enabled; however, as Microsoft adds, “affected systems are still vulnerable to Remote Code Execution (RCE) exploitation if the attacker has valid credentials that can be used to successfully authenticate.”
  • Block Transmission Control Protocol (TCP) port 3389 at the enterprise perimeter firewall.


Charting a Course for the Future

Once mitigation efforts related to the BlueKeep vulnerability are completed, it is recommended that Information Security Officers use this fire drill as an opportunity to review patch management procedures. Sound patch management procedures should be designed to outline the patch management process, including the identification, implementation, and testing of patches or updates to computers, servers, network hardware, and software applications. In addition, procedures should outline a process for documenting patch exceptions, as well as procedures for rolling-back implemented updates or patches that cause operational issues on the network or computing devices.

Vulnerabilities like BlueKeep will continue to arise in the future, and our reliance on technology is not going away. Be sure to continue mitigating risk and maturing your Information Security Program to keep pace with the ever-evolving risk landscape.


Written by: Shane Daniel 
Senior Information Security Consultant – SBS CyberSecurity, LLC 


SBS Resources:

  • {Download} 50+ Incident Response Preparedness Checklist Items: The #1 question organizations need to ask themselves is “if someone was in our network, would we be able to tell?” An organization’s ability to answer that single, extremely important question makes all the difference between being able to respond and recover from an incident quickly and cost-effectively vs. being notified by a user, or worse yet, by a federal agency, that something is amiss. Be honest with your answer; most organizations are unable to say “yes” to this question, and it rightfully keeps many information security professionals awake at night. This checklist contains over 50 items in the following areas that should be prepared ahead of time: configurations, logging, vendor information, key personnel, detection monitoring.


Related Certifications:

Join our growing community of financial service professionals showing their commitment to strong cybersecurity with a cyber-specific certification through the SBS Institute. Click here to view a full list of certifications.

Certified Banking Business Security Technology Professional      Certified Banking Vulnerability Assessor

Hacker Hour webinars are a series of free webinars hosted by SBS CyberSecurity. Unlike paid webinars, Hacker Hours are aimed to meet on a monthly basis to discuss cybersecurity issues and trends in an open format. Attendees are encouraged to join the conversation and get their questions answered. SBS will also offer products and services to help financial institutions with these specific issues.

Posted: Thursday, July 11, 2019
Categories: Blog