Behavior Detection on Fileless BlueKeep Vulnerability

On May 14. 2019, Microsoft announced an emergency security update for patching the BlueKeep (CVE-2019-0708) vulnerability. The company also provided unprecedented updates on the discontinued OS(Windows XP, Windows Vista, Windows Server 2003) and warned that the BlueKeep could be exploited as a ‘Wormable’ vulnerability just like EternalBlue from 2017.

BlueKeep is a vulnerability that allows remote code execution due to ‘Use-After-Free’ which happens when a client sends a malicious packet to the specific channel(MS_T120) during the Remote Desktop Protocol (RDP) connection between the client and the server. On September 6, four months after the first release of patch update on May 14, POC which allows metaexploit and remote code execution was released. In early November, the first case of the malware distribution of using BlueKeep was confirmed.

Security patch is mandatory to respond to BlueKeep vulnerability. If the remote system does not use remote protocols, vulnerabilities can be prevented by disabling TCP port 3389 or enabling network-level authentication(NLA) for RDP.

AhnLab products are blocking attacks exploiting fileless vulnerabilities such as BlueKeep and EternalBlue with newly applied “TrueEyes” technology, a fileless attack detection technology with behavior-based engine). Customers using this engine can prevent a remote code execution from these vulnerabilities.

[Behavior Detection] 

Malware/MDP.Behavior.M2523

Categories:Malware Information

0 0 vote
Article Rating
guest
0 Comments
Inline Feedbacks
View all comments