What is BlueKeep and how to protect yourself from it

BlueKeep is the latest RDP vulnerability in Windows systems. Find out what it is and how to protect your PC or server.

Updated: 14 Dec, 21 by Antoniy Yushkevych 16 Min

List of content you will read in this article:

BlueKeep is a security hole that mainly affects the previous versions of Microsoft Windows. It first came to light in 2019 when researchers explained that it had the power to destroy networks by navigating from system to system in the form of a worm. Also known as CVE-2019-0708, it primarily affects Windows 7, Windows Server 2003, Server 2008, Server 2008 R2, Vista and XP. 

The risk entailing BlueKeep is immense since it attacks your operating system's Remote Desktop Protocol (RDP). It is a proprietary tool given by Microsoft which provides the user with a graphical interface to connect with other systems. Having both of them is a lethal combination, and it will harm your system to a devastating extent. 

BlueKeep was initially limited to researchers modelling the risk. Still, in November 2019, they got to know that hackers were using the tool to install mining codes for cryptocurrencies. This attack was first identified by Kevin Beaumont, a British researcher, through honeypots which he created to notify them in case of any such security breaches. These attacks contained a demo exploit code that is used to install mining software in unpatched devices. But instead of successfully installing them, it would inadvertently crash the host's computer deeming them as flawed. 

On 13th August 2019, some similar BlueKeep vulnerabilities were reported and were collectively titled as DejaBlue. These vulnerabilities also affected the latest Windows versions ranging from Windows 7 to Windows 10, even with the previous versions. 

BlueKeep is not the only security breach present in Windows RDP. A total of three dozen security loopholes were identified during a general test session, and some of them are vulnerable to even remote code execution. This possibility would give hackers an advantage to take control of the internet and other network-facing devices.  

BlueKeep was identified by the UK National Cyber Security Center (NCSC) and then reported by Microsoft in 2019. Both companies stated that this vulnerability is because of self-propagating worms. This attack would be synonymous with that of the Eternal Blue attacks like NotPetya and WannaCry. 

A separate RDP-related issue was identified post the advisory from the National Security Agency. The former exhibited a behaviour wherein the credentials were cached in the RDP Network Level Authentication Login in the client system. Users would then be able to automatically regain the access connection if the network link is interrupted. Microsoft dismissed these rumours citing reasons that it is expected behaviour and can be disabled through Group Policy – a feature provided by Microsoft's NT family. 

As of June 2019, there were no officially reported vulnerabilities because of BlueKeep, but there could have been some undisclosed Proof of Concept (POC) codes exploiting this vulnerability. On the 01st July 2019, a British security company named Sophos reported on a similar PoC instance to outline the importance of a patch to rectify this issue permanently. The voices regarding this issue became more pronounced after a conference was given on this topic by a Chinese security firm. Experts even warned that there might be a possibility that a commercial version of this vulnerability could be available in the open market. 31st July 2019 marked an instance when computer experts reported cases due to suspicious RDP activity and warned that this could escalate into a dangerous issue and endanger the data of millions of users worldwide. 

NSA has issued express warnings to Windows users to keep their systems updated owing to this vulnerability. Advisories were also given by NCSC, NSA, Cybersecurity and Infrastructure Security Agency (CISA), and their equivalent organizations in Australia and Germany. The warnings were then followed by Microsoft's security patches, highlighting the significant threats that BlueKeep poses to the internet users. 

Agencies also noted that hackers would keep BlueKeep in ransomware and other kits which contain known exploits and viruses. It would increase its efficiency and capability to attack unpatched systems. Therefore, the National Security Agency has urged the users to put extra time and effort into understanding their networks and ensuring that every user's operating systems are patched with the latest updates. 

The Remote Desktop Protocol by Microsoft uses virtual channels set up before the authentication process. These channels serve as a data path between the server and the client for providing extensions to each other. RDP version 5.1 defines 32 static virtual channels, and these channels also contain dynamic ones. If a server connects the virtual channel "MS_T120" with a fixed channel different from the 31, a process known as heap corruption occurs, which allows random code executions directly at the system. 

Microsoft's Operating Systems XP, Vista, 2, Server 2003, Server 2008, and Server 2008 R2 are vulnerable to such attacks, and the versions that succeed do not come under its ambit. CISA has officially stated that they have achieved code execution successfully via this vulnerability on Windows 2000 version. 

BlueKeep is a significant threat that will affect anyone who uses Windows Operating systems that are unsupported and ingenuine. It means that over 1 million computers worldwide connected to the internet could get affected because of it. These systems are not maintained officially by Windows, and they run legacy applications that pose a severe security risk. The reason for that is unsecured hosts can be detected easily by the attackers, and they can use some of the notorious tools like Masscan or ZMap to scan these systems' internet for any vulnerabilities. 

There have been reports of instances where hackers use port scans to identify potential vulnerabilities similar to BlueKeep on Windows Operating systems. Port Scan is an attack that sends the client request to multiple server port addresses on the host. It will achieve a targeted goal of finding an active port and exploiting a known service issue. Tor exit nodes masked the port scan attacks suggesting that there would be more imminent BlueKeep attacks, and it is a risk that is ongoing.

Therefore, authorities must repeatedly be informing users to have the latest security patches installed on their Windows computers. Anyone who does not comply with this will have to face severe risks to their system. Hackers will keep on using BlueKeep to expose the weak points in your system if you do not have any of the recommended security patches or updates installed. Therefore, you must keep updating your device whenever Microsoft releases them so that you do not fall prey to such wanton attacks on your system. 

Microsoft themselves have labelled the attack as 'wormable', which means that this threat is not just local. It has a possibility that it could spread throughout the internet with no form of user interaction. It indicates other catastrophic worms that might have infiltrated your system and other devices not patched by any recommended security updates. 

One of the famous examples of this instance was WannaCry. This crypto-ransomware attack affected many Windows devices to a humongous extent. It localized its attack points to the operating system's weakness enabling it to install malicious software through DoublePulsar – a backdoor implant tool created by NSA's Equation Group. This backdoor enabled WannaCry to spread from system to system using a widespread exploit known as EternalBlue. Microsoft had to urgently release a security patch that shielded its methods and its users from this attack. But many companies and users still bore the brunt of it, and they remained exposed to this attack owing to them not updating their systems. 

WannaCry then encrypted files on the device and locked out millions of users from their systems. The hacker then demanded a ransom from the authorities, which, if complied with, will enable him to unlock the information of the users and the device as well. The impact was tremendous, and it affected over 230,000 systems all around the world. It costs considerable damage to the National Health Services (NHS), a health service provider in Britain. The attack caused ambulances to be rerouted; urgent appointments stood cancelled, surgeries got postponed, and over a third of its health trusts faced the full jolt of this attack. It cost them a whopping £92 million in damages.

The attack from WannaCry affected more than 150 countries and their systems which culminated in a steep financial loss of over $4 billion. The users could have averted the damage if they were more vigilant when securing their systems. It only required a few minutes of their time, periodically, to update their systems with the latest patches, and that could have easily averted the crisis. It is a wake-up call to every user and organization to comply with the prescribed IT Standards to avoid such a fix. 

Due to the attack set's dangerous precedence, Microsoft released vital security patches to curb this vulnerability on 14th May 2019. The company released these updates for XP, Vista, 7, Server 2003, Server 2008, and Server 2008 R2. Microsoft also covered Windows versions that have reached the status called "end-of-life" – meaning the product versions that have entered the final stages of their product life cycle and will no longer receive security updates. These products included Vista, XP, and even Server 2003. This patch's operation forces the "MS_T120" to always remain attached to the 31 static channels, disabling the ability to produce heap corruption.

The National Security Agency also recommended some additional steps to be taken in this scenario; these include disabling Remote Desktop Services and its associated TCP 3389 if it is not being used, and Network Level Authentication is a must for RDP. As per the analysis carried out by the British security company, Sophos, enabling 2FA or two-factor authentication will mitigate RDP's issue by a considerable number. But the best protection that you can take is to take off RDP out of your system entirely and access it only through a Virtual Private Network (VPN). 

Microsoft has indeed taken steps by releasing a security patch to mitigate the issue in its bud. As a responsible user, you must do things from your end to protect your system from such unseemingly harmful attacks. The risk posed by BlueKeep and the lessons learned from other incidents should keep you on your toes and highlight the vitality of securing your devices which can be affected. Some of the steps that can be taken as an individual and as an owner of the organization to protect from such similar attacks are as follows:

  • Patch up the systems that are not secure – This point is highlighted in the previous sections, but it is the most overlooked. Failure to comply with installing security updates will leave the users in a lurch since it poses a risk of data theft. If the same happens to an organizations' computer, then it is a crisis that can even bankrupt a company as sensitive information of clients would be out in the open. 

BlueKeep corrupted and destroyed information of up to 1 million users and their devices on Windows 7 and its previous versions, but they can be protected through security patches that Microsoft releases. The patches are available to download from Microsoft website as per the versions, either by 32-bit or 64-bit systems that you have. Organizations must employ a method of OTA updates on company devices so that the IT department will personally see to update every device. 

  • Vulnerable ports must be blocked – As we have seen in the previous sections, BlueKeep uses ports to get into our system and corrupt sensitive information in our computers. Specifically, port 3389 is the one that you must take care of since this is the one that is directly linked to RDP at firewalls. 

This port should be expressly blocked if your devices and the firewall are towards the external internet. Having the port unblocked could trigger issues, and your system would be susceptible to external attacks on the part of hackers. IT Teams in the company must take express care while handling these ports and should educate the users if needed as to the value of securing their systems from attacks. 

  1. Disable devices that are not in use – There are instances wherein users and even company personnel would attach unwanted devices to their computers for no apparent reason. If these devices are not encrypted or if your system does not contain the necessary security patch, then attacks would be imminent on your system. Keep track of the services that you require in your system; if you do not need them, disable them from your system. Services, for instance, Remote Desktop services, must be primarily disabled if you have completed using it. Keeping it open will reveal security gaps in your system, giving the hackers a window of opportunity to attack. 
  2. Switch on network control – The IT department in your company can enable Network Level Authentication or NLA in the company devices. It will provide them complete control of the device and even restrict users' access to unprotected or malicious software or websites. It would help them to limit any unauthorized access carried out to the system as well. NLA is essentially an optional security feature that was introduced by Microsoft in Windows Vista versions and later. When this is enabled, remote connections need to pre-authenticate to the remote system when RDP connects before establishing a remote session.
  3. Educating the users – Even though you have all of the security systems to curb the issue at its source, if you do not inform the users about the basics of IT security, it is of no use. There are so many options to secure your system; these include security patches, installing updated software, protecting networks, etc. The user must know how to carry out the operations listed over here. Any slight in following these processes would carry a disadvantage so severe that it would put their system at risk. 

The users must know the current IT Security trends to understand the severity of BlueKeep and other such incidents, which can happen to any of them. Educating the users about the basics and then slowly advancing towards the next level is vital. Without providing proper guidance to the company's users, things may very well fall apart, and it will prove catastrophic to the company in terms of money and reputation.

As per the points that we have seen above, BlueKeep is a threat that can get eradicated through simple measures. It did cause a lot of harm and a whole lot of financial losses in its wake, but the only thing that users and the ones who did bear the brunt of it had to do was update their systems periodically. It is essential to know about BlueKeep since we understand how specifically it damaged the system, which will help Microsoft and others design and map out how they can avert such a crisis in the future. It is essential to know and gain knowledge about this incident to always remain vigilant to such threats and always be ready. 

Users must follow the threats mentioned earlier posed by BlueKeep to stay on top of the IT world. It is not just the IT department's responsibility to be alert, but it also falls towards all the users to be cautious on this matter. Users must have the security patches installed, along with auto-updated enabled in their system. It will ensure that any external system or cyber-attacker will not manipulate the system or plant malware unnecessarily without permission.

Antoniy Yushkevych

Antoniy Yushkevych

Master of word when it comes to technology, internet and privacy. I'm also your usual guy that always aims for the best result and takes a skateboard to work. If you need me, you will find me at the office's Counter-Strike championships on Fridays or at a.yushkevych@monovm.com