Alert – Exploit RDP [Bluekeep]

If you haven’t already heard, the Australian Cyber Security Centre (ACSC) released a HIGH Alert warning on malicious activities and potential widespread abuse of the BlueKeep vulnerability known as CVE-2019-0708.  The vulnerability has been discovered in Microsoft’s Remote Desktop Protocol (aka Terminal Services) affecting older versions of Microsoft Windows operating systems.  

Ensure that your devices are patched; especially if running older versions of Windows such as Windows Vista, Windows 7, Windows XP, Server 2003 and Server 2008.

Organisations and users are recommended to:

  1. Patch, patch, patch. If you or your organisation run a supported version of Windows, update it to the latest version. If possible, enable automatic updates. If you are still using unsupported Windows XP or Windows Server 2003 – for whatever reason – download and apply the patches as soon as possible. 
  2. Disable Remote Desktop Protocol. Despite RDP itself not being vulnerable, Microsoft advises organisations to disable it until the latest patches have been applied. Further, to minimise your attack surface, RDP should only be enabled on devices where it is used and actually needed. 
  3. Ensure RDP is correctly configured. If your organisations absolutely must use RDP, avoid exposing it to the public internet. Only devices on the LAN, or accessing via a VPN, should be able to establish a remote session. Another option is to filter RDP access using a firewall, whitelisting only a specific IP range. The security of your remote sessions can be further improved by using multi-factor authentication. 
  4. Enable Network Level Authentication (NLA). BlueKeep can be partially mitigated by having NLA enabled, as it requires the user to authenticate before a remote session is established and the flaw can be misused. However, as Microsoft adds, “affected systems are still vulnerable to Remote Code Execution (RCE) exploitation if the attacker has valid credentials that can be used to successfully authenticate.”
  5. Use a reliable multi-layered security solution that can detect and mitigate the attacks exploiting the flaw on the network level.

The information provided here is of a general nature. Everyone’s circumstances are different. If you require specific advice you should contact your local technical support provider.

Concerned about exploits and the vulnerability of your network?

Contact Project 3 IT for help securing and enforcing best practice policies for your network.

55 Bourke Road, Alexandria NSW 2015

1300 884 177