Threat Description
BlueKeep RDP flaw (CVE-2019–0708) has grown into a global concern, as sources state that around 1 million devices have port 3389 (RDP) open, used for the remote desktop services. This makes machines with older OS versions with port 3389 open vulnerable to malware attacks, similar to the infamous WannaCry which targeted port 445. Attackers can abuse systems that have remote desktop connections enabled on the following OS that haven’t been patched recently:
- Windows XP
- Windows 7
- Windows Server 2003
- Windows Server 2008
There are currently no publicly available exploits however it has come to light that hackers/researchers have already developed tools that can take advantage of the vulnerability. The exploit allows attackers to execute code on targeted systems once they gain access, which will permit them to install malware or perform any other malicious activities and aid to spread uncontrollably.
Even though Microsoft has stopped supporting these older OS, they have already released patches due to the severity of this vulnerability.
Data retrieved from third party sources which collect publicly available information about IP addresses have helped to identify the Port 3389 situation in Bahrain alone(please see the sheet attached below). Upon further analysis, we have identified which IP addresses might be vulnerable to the BlueKeep RDP flaw, and have tagged
them accordingly. However, the criticality can only be verified if the mentioned IP addresses are checked directly and thoroughly (with permission from the IP address owner) rather than analyzing publicly available information.
Recommendation:
- Install and update the latest patches for all Windows operating systems, even if Remote Desktop Services are disabled.
- Disable Remote Desktop Services if they are not needed.
- Enable Network Level Authentication on systems on the previously mentioned operating systems.
- Only allow internal access and visibility to 3389 if it is required to be used. If external access is required, restrict access to specific IP addresses only.
