For the third time this year, Microsoft has warned users and organizations to stay vigilant against BlueKeep and patch their systems. In collaboration with security researchers, Microsoft investigated recent system crashes have been caused by a BlueKeep Metasploit module.
In early September, the Bluekeep module used in the Metasploit penetration testing framework was published. Soon thereafter, Microsoft added behavioral detection for the BlueKeep Metasploit and added the protection to its Microsoft Defender ATP product.
In collaboration with researchers Kevin Beaumont and Marcus Hutchins, Microsoft discovered in early November that some honeypot systems were crashing after being attacked by BlueKeep exploit modules.
“Microsoft security signals showed an increase in RDP-related crashes that are likely associated with the use of the unstable BlueKeep Metasploit module on certain sets of vulnerable machines,” Microsoft warned in a recent blog post on Thursday.
The BlueKeep vulnerability CVE-2019-0708 exists in Remote Desktop Services (formerly known as Terminal Services) and impacts Windows servers running Remote Desktop Protocol (RDP). Attackers could exploit this vulnerability without any user authentication and execute malicious remote code.
BlueKeep impacts Windows 7, Windows Server 2008 and Windows Server 2008 R2 and was patched by Microsoft on May 14, 2019.
Just this past June, the Department of Homeland Security (DHS) also issued a warning on about the “wormable” BlueKeep threat and vulnerability. DHS confirmed attackers can exploit unpatched systems.
In summary, the latest Microsoft warning just adds yet another reminder to organizations to stay vigilant, monitor and patch any systems that may still be missing the BlueKeep update.