article featured image


Almost six months ago, we were urging users to patch their systems due to a remote code execution vulnerability present in Remote Desktop Services, where attackers could connect to a target’s system using RDP. At that time (May 2019), Microsoft released a patch for CVE-2019–0708, the Remote Desktop vulnerability dubbed BlueKeep. The exploitation could cause the “blue screen of death”, potentially leading to a Game of Thrones ‘Red Keep’ moment”. This vulnerability was thought to be ‘wormable’, meaning that any malware that exploited it could propagate from computer to computer.

We predicted that it could potentially produce the same amount of damage as we witnessed in the case of the WannaCry ransomware and the older Conficker worm. A few days back, security researcher Kevin Beaumont reported that his BlueKeep honeypot was being exploited in the wild. His discovery was also confirmed by Marcus Hutchins, the security researcher who stopped the WannaCry outbreak and who is a specialist in the BlueKeep exploit.

How was the BlueKeep exploit used?

Recently, a malicious hacker group was spotted using a demo BlueKeep exploit released by the Metasploit team back in September, which was meant to help system administrators test vulnerable systems. Attackers have now been using it break into unpatched Windows systems and install cryptocurrency miners.

But even though these attacks may seem insignificant compared to what had been foreseen, right now, the Microsoft security team is warning its customers that “the BlueKeep exploit will likely be used to deliver payloads more impactful and damaging than coin miners”.

“Security signals and forensic analysis show that the BlueKeep Metasploit module caused crashes in some cases, but we cannot discount enhancements that will likely result in more effective attacks. In addition, while there have been no other verified attacks involving ransomware or other types of malware as of this writing, the BlueKeep exploit will likely be used to deliver payloads more impactful and damaging than coin miners.”- Microsoft’s Security Blog

In other words, although many security researchers thought that the attacks were not as bad as everyone believed they would be, Microsoft supports the idea that this is merely the beginning and that danger most likely is still around the corner.

“Many of these unpatched devices could be unmonitored RDP appliances placed by suppliers and other third-parties to occasionally manage customer systems. BlueKeep can be exploited without leaving obvious traces, customers should also thoroughly inspect systems that might already be infected or compromised.”, said Microsoft.

Consequently, for the third time this year, Microsoft is once again urging its users to apply their patches. The second warning came as a reminder at the end of May 2019, when almost 1 million computers connected were still vulnerable to CVE-2019-0708. As of now, around 750,000 endpoints are thought to still be affected by the BlueKeep vulnerability. Many other organizations have issued warnings in the past few months, including the NSA, the US Department of Homeland Security, or the UK’s National Cyber Security Centre, advising companies to patch their outdated systems.

A BlueKeep vulnerability summary

In case you missed it entirely or are only familiar with some parts of the story, in short, here is what you need to know about the BlueKeep vulnerability:

  • BlueKeep (or CVE-2019-0708) is a vulnerability in the Microsoft RDP (Remote Desktop Protocol) service.
  • It only impacts Windows 7, Windows Server 2008 R2, Windows Server 2008. Windows 8 and Windows 10 systems are not affected by this vulnerability.
  • Microsoft released the patches for the vulnerability in May 2019.
  • Although many researchers developed full-fledged BlueKeep exploits over the summer, no one made the code publicly available because it was considered to be too dangerous and could possibly be exploited by malicious actors, according to ZDNet.
  • In July 2019, a US company began selling a BlueKeep exploit to its customers only for penetration testing purposes.
  • In September, Metasploit published the first BlueKeep proof-of-concept exploit available for anyone.
  • Now, in October, malware creators have started using this BlueKeep Metasploit module in actual malicious campaigns.

Patch your vulnerable systems immediately!

Heimdal Official Logo
Antivirus is no longer enough to keep an organization’s systems secure.

Heimdal® DNS Security Solution

Is our next gen proactive DNS-Layer security that stops unknown threats before they reach your endpoints.
  • Machine learning powered scans for all incoming online traffic;
  • Stops data breaches before sensitive info can be exposed to the outside;
  • Advanced DNS, HTTP and HTTPS filtering for all your endpoints;
  • Protection against data leakage, APTs, ransomware and exploits;
Try it for FREE today 30-day Free Trial. Offer valid only for companies.

The BlueKeep vulnerability only emphasizes the importance of updating and patching in a timely manner, just like our customers who apply Windows updates through our Heimdal™ Patch & Asset Management module do. Our technology has helped 99.5% of our users successfully deploy their patches in time and we are actively pushing the last 0.5% of them to update as soon as possible.

Author Profile

Enthusiastic about all things tech and content marketing.