[German]It seems that Microsoft offers also patches against BlueKeep vulnerability for pirated copies of Windows XP and Windows 7. And Talos has a blog post about defend of encrypted RDP attacks like BlueKeep.
BlueKeep-Fixes also for pirated copies
Well, in normal circumstances I would not mention this topic. But this makes clear, how urgent this case might be. Last Friday warned in a Technet blog post about the BlueKeep vulnerability and recommends to install available updates (see my blog post BlueKeep vulnerability: Microsoft warns about a wormable malware epedemia).
Microsoft provides Updates from Windows XP up to Windows 7 (and affected Servers) – even, if Windows XP (and Windows Server 2003) is out of support for many years. One of Microsoft’s arguments for upgrading to new Windows versions has always been that the support with security updates for the older versions has expired. So some people could suppose, that Microsoft provides a blocking mechanism for this security update for priated copies of Windows XP up to Windows 7.
Yes, pirate copies of Win XP and Win7 can install the “wormable” BlueKeep security fixes – at least, according to a decade-old promise from a long-gone Microsoft employee. Can you find anything more recent or reassuring? https://t.co/gdIxQGYt1Z
— Woody Leonhard (@AskWoody) 1. Juni 2019
Woody Leonhard has mentioned this within his above tweet and addressed it within the linked blog post. So: Install the security updates on your affected machines as soon as possible.
BlueKeep and encrypted SSL tunnels
Some RDP-Sessions are using an encrypted SSL tunnel to access a host. But BlueKeep (CVE-2019-0708) can be exploited over an encrypted SSL tunnel. This SSL encryption may impact packet inspection and detection of such an attack.
BlueKeep can be exploit over an encrypted SSL tunnel which may impact inspection. Learn how to protect yourself against this an other encrypted RDP threats with FirePower using our handy guide – https://t.co/pQ8N3wsdv1 #BlueKeep
— Craig Williams (@security_craig) 31. Mai 2019
Craig Williams mentioned that within the above tweet and linked to a Talos Security article Using Firepower to defend against encrypted RDP attacks like BlueKeep, which discusses this topic. After Microsoft released fixes for the critical authentication remote code execution vulnerability in Remote Desktop Protocol Services (RDP), Cisco Talos started reverse-engineering work immediately to determine how exactly RDP was vulnerable. They released SID 50137 for SNORT® correctly blocks exploitation of CVE-2019-0708 and scanning attempts that leverage this vulnerability. Within the article linked above, Talos provides a guide to set up RDP decryption on Cisco Firepower, specifically applies to Windows Server 2008 instances. Windows 7 required to overcome several hurdles to be attackable – and newer Windows Server versions are not vulnerable.