[German]Currently, there is an attempt from cyber criminals to scan the Internet for Windows systems vulnerable to BlueKeep vulnerabilities and then attack them.
BlueKeep: Remote Desktop Services vulnerability
In Remote Desktop Services – formerly known as Terminal Services – there is a serious vulnerability CVE-2019-0708. An unauthenticated attacker can connect to a target system via RDP using special requests. The problem is that the attacker does not need to authenticate to gain access to the system.
An attacker who has successfully exploited this vulnerability could execute arbitrary code on the target system. This includes installing programs, viewing, modifying, or deleting data, and creating new accounts with full user privileges. This critical vulnerability exists in the following versions of Windows:
- Windows XP
- Windows Server 2003
- Windows Vista
- Windows 7
- Windows Server 2008
- Windows Server 2008 R2
Starting with Windows 8, the vulnerability no longer exists in the Remote Desktop service. On May 14, 2019, Microsoft released a security update for older versions of Windows, from Windows XP to Windows 7, that closes the critical CVE-2019-0708 vulnerability in Remote Desktop Services.
I reported on this vulnerability in the blog post Critical update for Windows XP up to Windows 7 (May 2019). There was also a warning from the German Federal Office for Information Security (BSI) that there was a similar threat to the vulnerability responsible for the WannaCry outbreak.
Attacks only a matter of time
It was clear that it would not be that long before the first attacks on systems where the BlueKeep gap was not closed took place. In the blog post , I had pointed out the current state of exploits. A few days ago there were no public exploits, but this has changed. And now Catalin Cimpanu points out in the following tweet that an attacker behind a Tor node is now scanning the Internet for Windows systems vulnerable to BlueKeep vulnerability.
— Catalin Cimpanu (@campuscodi) 26. Mai 2019
Those who have not yet patched the vulnerability should do so urgently for systems connected to the Internet.