A network detection rule/signature provided by NCCgroup concerning CVE-ID CVE-2019-0708, which occurs in RDP implementations down to Windows XP, has just been released. 

We have information to support that this vulnerability could be exploited in less than a week, potentially causing the same amount of damage we seen in the case of self-replicating code like WannaCry and the older Conficker worm. 

From our findings, 8.5% of machines are vulnerable to the attacks. Based on this data, we conclude the impact it could have on businesses worldwide would be devastating. 

Our partners, who continually monitor underground fora and dark market services, have observed multiple offers for sale of functional exploit code. One particular offer comes from a person who has previously sold 0-day vulnerabilities on the dark market. 

We are in possession of the functional exploit code and we can confirm that it works reliably against vulnerable installations and services.  

How does the exploit work? 

Despite Microsoft stopping support for Windows XP and other older versions since 2014, they released a new patch on May 14, 2019.  

Here is the list of vulnerable operating systems: 

  • Windows 2003 
  • Windows XP 
  • Windows 7 
  • Windows Server 2008 
  • Windows Server 2008 R2 

If exploited, a remote code execution bug in RDP will allow hackers to run code on machines using RDP without them having to authenticate. That's right, no credentials required! Once an attacker breaks into a computer this way, they have full control over the machine. A complete free for all.

The simple fact that you are running RDP could mean that the gates to your system are wide open. Lock them down.

This vulnerability could potentially allow access to worms, which are pieces of malware that have the capability to replicates themselves across a network at a quick rate.

This has happened previously with attacks such as WannaCry and NotPetya and likely this RDP vulnerability will lead to another similar cyber disaster.  

WannaCry was a ransomware worm that spread around the globe in 24 hours, infecting around 300 million computers in 150 countries at epic speed. The National Health Service (NHS) in UK was one of the first companies affected, and other major victims included Telefonica, Renault, and Fed-Ex. 

What was more concerning is that the NotPetya outbreak followed shortly after, likely fueled by the "it-will-not-happen-to-me" mentality and by people not taking matters like these seriously. NotPetya was established on the same EternalBlue exploit, and the activity of giant organisations such as Maersk and Ukraine’s central bank was disrupted.  

This proves there is still a lack of regular patching of outdated systems going on and that people have not yet learned their lessons. Both remain fundamental problems.

Here is the security guide you need to follow 

As we’ve already witnessed the rapid pace these types of infections can spread, we would like to offer you some recommendations so you can stay safe. As per, prevention is better than cure.  

We strongly recommend that you apply these security measures as quickly as possible since the outbreak could start sooner than anyone expects 

  • Patch as soon as possible 

We recommend that all of our customers create a current overview of available RDP services and make sure that they are securely patched. We can assist with this.

We advise a stronger and prioritised focus on all RDP services that are currently exposed externally. 

What to do if you can't patch your machines immediately: 

  • Implement IP restrictions that would prevent global access towards RDP services, no matter whether LAN or WAN. 
  • Enable Network Level Authentication (NLA). This puts another form of authentication in front of RDP, which makes it more difficult for intruders to log in.  
  • Turn off RDP. Obviously, this isn't an option if your business needs it to function.  

Be part of the solution, not part of the problem and act quickly. 

Here you can also find the network signatures.

[UPDATE May 23, 2019] 

scanner has been released that can detect vulnerable RDP services on one or multiple hosts in a network with available RDP service. The tool can be found on GitHub and it can be used to locate and verify whether an RDP service is vulnerable to the exploit code. 

A scanner module has also been released for Metasploit. 

 

How dangerous is it? 

The tool does not allow hackers easy access to vulnerable hosts. Altering this PoC to determine the denial-of-service can open the path to accessing machines, but this does require some effort.   

However, it's accurate for testing and it is very handy for system administrators to identify vulnerable machines.  

This is a PoC and should only be used for testing and not against targets without their permission.  

 

Need some help with the above? Pop me a message!