Without Security Visibility and Analysis, BlueKeep Keeps on Keeping On

BlueKeep, a severe security vulnerability (CVE-2019-0708) that affects the Remote Desktop Protocol (RDP) service in Windows XP, Windows Vista, and other older Windows OS versions, is spreading rapidly, due in part to its ability to be remotely exploitable. While this has the structure of a classic attack, it’s also unique because its wicked efficiency essentially puts any unpatched computer that is connected to the Internet at risk.

Now, a reverse engineer, Zerosum0x0 (apologies to Zerosum0x0 who, in The Artist Formerly Known as Prince fashion, uses upside-down characters to render his or her name. I’m technically incapable of making my keyboard do that) has created a proof-of-concept Metasploit module that mimics BlueKeep. This engineer demonstrated how an unauthenticated attacker can overtake a computer in 22 seconds. Credential harvesting gave access to computers, and from there, the attack was in full force. With the ability to self-propagate, BlueKeep has the capability to spread with the seriousness of a millennial barista’s beard.

Similar in nature to some of the most destructive malware variants like BadRabbit, WannaCry, and NotPetya, BlueKeep is a self-spreading worm and has already jolted major organizations to attention in a mad dash to patch, monitor, and fix damage. Some are now applying security detection measures, but as we know, after an attack, the insurance policy you didn’t buy isn’t worth much.

In an effort to limit the damage, Microsoft released patches for the affected operating systems in early May.  The company then issued a second warning because many administrators were lagging in their patch deployments. In fact, a researcher has estimated that almost one million Windows computers are currently vulnerable to BlueKeep attacks.

It’s hopefully a wake-up call that the act of a deliberate attacker can result in disastrous impact for those without visibility into their environments. Irrespective of whether or not an organization has deployed the necessary patches, every security team needs visibility, along with context, for their cloud environments.

No less an arbiter of security innovation than the NSA has issued a rare advisory that demands users update their systems and gird against the potential for BlueKeep to hit. In their warning, they indicated, “It is likely only a matter of time before remote exploitation code is widely available for this vulnerability. The NSA is concerned that malicious cyber actors will use the vulnerability in ransomware and exploit kits containing other known exploits, increasing capabilities against other unpatched systems. The NSA urges everyone to invest the time and resources to know your network and run supported operating systems with the latest patches.”

The NSA recommends that organizations take the following three steps:

  • Block TCP Port 3389 at your firewalls, especially any perimeter firewalls exposed to the internet. This port is used in RDP protocol and will block attempts to establish a connection.
  • Enable Network Level Authentication. This security improvement requires attackers to have valid credentials to perform remote code authentication.
  • Disable remote Desktop Services if they are not required. Disabling unused and unneeded services helps reduce exposure to security vulnerabilities overall and is a best practice even without the BlueKeep threat.

These measures will keep out unwanted traffic that is identified as unwanted. Activities that look legitimate, however, will be able to bypass network-based roadblocks. This is exactly what Zerosum0x0 has demonstrated with his/her POC. Harvesting credentials will still get you inside of an environment, and unless the security measures can detect anomalous activity.

Let’s break down where vulnerabilities exist and how a security team could detect most threats before they do damage:

Harvesting credentials
In many attacks, impersonation of a legitimate user is the path by which an attacker gains access. Most security solutions operate in a checklist fashion and act on specific if-then correlations. When it comes to account access, a user who looks legitimate is given authorization, and the tool doesn’t detect anything amiss. If User A is authorized to access, then User A will be free to access. Yet, if User A is not really User A, then the security team won’t know until it’s too late.

Lacework uses behavioral analysis to determine the legitimacy of a user based upon his actions. So if User A does indeed get access, the activity of User A that does not jive with the activity of similar users, or deviates from User A’s typical behavior, will be noted. This is done through rapid analysis of all the activities that relate to User A, the applications and resources he’s accessing, and the transactions he’s making.

Data from the cloud accounts is ingested, and Lacework applies machine learning to logs to generate high fidelity alerts on any behaviors or events that could be an indicator of compromise at the account resource level. Lacework also proactively alerts on any security misconfigurations at the time they occur. Among other things, the Lacework platform is monitoring critical account activity such as unauthorized API calls and use of the management console for unauthorized purposes. It also secures network configurations, including limiting access to vulnerable ports, enforcing “least access” privileges, and checking for the use of flow logging.

Make sense of connections and activity
Attacks generally originate through network activity. Each connection creates another set of potential threat vectors, and this is where malware can insert itself into an organization’s infrastructure. Anomaly detection triggers on these connections based on their new relationship to existing entities. This makes it possible to alert on legitimate domains that are used out of normal context. In our case, this occurred when malicious scripts were retrieved from places like Pastebin, Bitbucket, GitHub, and ngrok.io.

Lacework decomposes data into the lowest possible isolation unit that an OS supports: a process. Everything that happens in a data center happens through a process. Every app has a different process and processes are not mixed between apps. When it comes to baselining a complex data center, they are the ideal unit for detecting vulnerabilities because:

  • They can be validated – every process is associated with a specific binary that has a particular SHA-256 hash.
  • They are traceable – processes are launched by users, applications, or other processes and we can keep track of how they started.
  • They are predictable – a process has a particular command line, purpose and a life cycle.
  • They are responsible for all communications – processes, and only processes, communicate with each other and with external hosts on the Internet.

Runtime awareness and threat identification
Runtime threat defense enables security teams to identify vulnerabilities across the entire scope of their cloud and containerized environments. This includes identifying security issues with serverless resources, applications, networks, file systems, APIs, processes, and other elements that could increase the threat vector of an organization’s infrastructure. There’s an emphasis on events happening at runtime, which gives the security team the ability to quickly identify issues before they spread within their environment.


BlueKeep, like all vulnerabilities, is successful when there’s little visibility and no context for what’s happening in your environment. Lacework is built around the concept of visibility — to note: Anomaly detection allows you to alert on abnormal activity in your environment, this works well at exposing unknown threats. File integrity monitoring allows you to monitor for malware and changes to sensitive files. Properly curated threat intelligence provides coverage on known threats. Compliance auditing enforces best practices and could flag breaches before they happen.

Invincibility is a nice thing to dream about, but it’s not reality. Somewhere, somehow, you, your data, and your IT infrastructure is exploitable. The lack of detection and analysis capabilities will always leave an organization behind, so awareness comes after the fact. But modern organizations can apply a more complete solution to ensure they can identify and fix issues across their cloud surface area.

Photo by Jakub Jacobsky on Unsplash