BlueKeep Attack Detected by AhnLab EDR

BlueKeep (CVE-2019-0708) is a vulnerability revealed in May 2019, occurring during the Remote Desktop Protocol (RDP) connection process between a client and server. When a client sends a malicious packet through a specific channel (MS_T120), a Use-After-Free vulnerability occurs, allowing remote code execution.[1] This vulnerability has been discussed on the ASEC Blog until recently [2], and APT groups are continuing to exploit it.

This post will explain the BlueKeep vulnerability recently detected by AhnLab Endpoint Detection and Response (EDR).

The detected attack appears to use a tool similar to those mentioned in the ASEC Blog post [2]. The attack exploiting the BlueKeep vulnerability executes malicious commands in spoolsv.exe, a default Windows program. cmd.exe executed by spoolsv.exe demonstrates this process (see Figure 1).

Figure 1. cmd.exe executed by spoolsv.exe

 

By examining the malicious commands detected through the EDR diagram, one can see that the threat actor renames the default Windows program cmd.exe to Narrator.exe. When a user is logged off, using the Narrator feature changed to cmd.exe through accessibility features actually runs cmd.exe instead of Narrator.exe. Since the cmd.exe executed in this way runs with system privileges, it is presumed that the threat actor used malicious commands for the purpose of privilege escalation.

In addition to the Narrator shown in Figure 3, all programs with accessibility features can be changed to cmd.exe, allowing malicious commands to be executed.

 

Figure 2. Detection of malicious commands being executed due to BlueKeep

Figure 3. Accessibility features in Windows 7

 

AhnLab EDR is a next-generation endpoint threat detection and response solution, providing powerful threat monitoring, analysis, and response capabilities in endpoint areas through Korea’s behavior-based analysis engine. By continuously collecting information on suspicious activities like the vulnerability discussed in this article, users can accurately perceive threats from a detection, analysis, and response perspective. Administrators can then conduct comprehensive analyses to identify causes, respond with appropriate measures, and establish processes to prevent recurrence.