PROACTIVE DETECTION CONTENT: CVE-2019-0708 [socprime]

I think the most of security community has agreed that CVE-2019-0708 vulnerability is of critical priority to deal with. And while saying “patch your stuff!” feels like the first thing that one should think of, the memories of WannaCry and NotPetya are still fresh in my mind. We know that patching ain’t gonna happen at the speed and on the scale it needs to be. And thus we are, yet again, building up the detection rules!

A little yet important detail: the vulnerability CVE-2019-0708 is related to Remote Desktop Services (RDS), so actual Microsoft implementation of using the Remote Desktop Protocol (RDP) on Windows. RDP protocol itself is fine. I feel like this statement needs to be here to avoid all kinds of hype similar to the one we’ve seen during the Wannacry outbreak.

The “BlueKeep” hashtag was first used by Kevin Beaumount. I’ve picked it out for 2 reasons: GoT reference and to find relevant posts on twitter, as one can not simply hashtag a CVE (unless one removes the dashes). BlueKeep is just making twiterops easier 😉

Turning the scales in defenders’ favor.
To establish detection theory we have to consider two threat models:

1. Worm threat, similar to WannaCry scenario.
2. APT Actor, using the vulnerability as part of more sophisticated campaign, just like EternalBlue & SMB were merely a part of NotPetya disaster.

To identify assets at risk we will refer to the following table, shared by the courtesy of Dragos:

For more, click here.