A vulnerability in the Remote Desktop Services component of Microsoft Windows could allow an unauthenticated, remote malicious user to execute arbitrary code on a targeted system. The vulnerability exists because the affected software improperly handles Remote Desktop Protocol (RDP) requests. An attacker could exploit the vulnerability by sending RDP connection requests that submit malicious input to the affected software. A successful exploit could allow the malicious user to execute arbitrary code and completely compromise the system. Microsoft confirmed the vulnerability and released software updates.
| Vulnerable Product | Search on Vulmon | Subscribe to Product |
|---|---|---|
microsoft windows vista - |
||
microsoft windows server 2008 r2 |
||
microsoft windows server 2008 - |
||
microsoft windows xp - |
||
microsoft windows server 2003 - |
||
microsoft windows server 2003 r2 |
||
microsoft windows 7 - |
Criminal small talk in underground forums offer critical clues about which known Common Vulnerabilities and Exposures (CVEs) threat actors are most focused on. This, in turn, offers defenders clues on what to watch out for.
An analysis of such chatter, by Cognyte, examined 15 cybercrime forums between Jan. 2020 and March 2021. In its report, researchers highlight what CVEs are the most frequently mentioned and try to determine where attackers might strike next.
“Our findings reveal...
This month the vendor has patched 79 vulnerabilities, 22 of which are rated Critical.
Posted: 15 May, 201924 Min ReadThreat Intelligence SubscribeFollowtwitterfacebooklinkedinMicrosoft Patch Tuesday – May 2019This month the vendor has patched 79 vulnerabilities, 22 of which are rated Critical.As always, customers are advised to follow these security best practices:
Install vendor patches as soon as they are available.
Run all software with the least privileges required while still maintai...
The Lemon Duck cryptocurrency-mining botnet has added the ProxyLogon group of exploits to its bag of tricks, targeting Microsoft Exchange servers.
That’s according to researchers at Cisco Talos, who said that the cybercrime group behind Lemon Duck has also added the Cobalt Strike attack framework into its malware toolkit and has beefed up anti-detection capabilities. On the latter front, it’s using fake domains on East Asian top-level domains (TLDs) to hide command-and-control (C2) inf...
A previously known threat group, called UNC1945, has been compromising telecommunications companies and targeting financial and professional consulting industries, by exploiting a security flaw in Oracle’s Solaris operating system.
Researchers said that the group was exploiting the bug when it was a zero-day, long before a patch arrived.
The bug, CVE-2020-14871, was recently addressed in Oracle’s October 2020 Critical Patch Update. The vulnerability exists in the Oracle Solaris ...
Through Mandiant investigation of intrusions, the FLARE Advanced Practices team observed a group we track as UNC1945 compromise managed service providers and operate against a tailored set of targets within the financial and professional consulting industries by leveraging access to third-party networks (see this blog post for an in-depth description of “UNC” groups).
UNC1945 targeted Oracle Solaris operating systems, utilized several tools and utilities against Windows and Linux opera...
Chinese state-sponsored cyberattackers are actively compromising U.S. targets using a raft of known security vulnerabilities – with a Pulse VPN flaw claiming the dubious title of “most-favored bug” for these groups.
That’s according to the National Security Agency (NSA), which released a “top 25” list of the exploits that are used the most by China-linked advanced persistent threats (APT), which include the likes of Cactus Pete, TA413, Vicious Panda and Winniti.
The Feds...
Researchers are warning of a recent dramatic uptick in the activity of the Lemon Duck cryptocurrency-mining botnet, which targets victims’ computer resources to mine the Monero virtual currency.
Researchers warn that Lemon Duck is “one of the more complex” mining botnets, with several interesting tricks up its sleeve. While the botnet has been active since at least the end of December 2018, researchers observed an increase in DNS requests connected with its command-and-control (C2) a...
The InvisiMole threat group has resurfaced in a new campaign, revealing a new toolset and a strategic collaboration with the high-profile Gamaredon advanced persistent threat (APT) group.
InvisiMole was first uncovered by ESET in 2018, with cyberespionage activity dating back to 2013 in operations in Ukraine and Russia. More recently, from late 2019 until at least this month, researchers have spotted the group attacking a few high-profile organizations in the military sector and diplomatic...
Security researchers have demystified the attack chain of the elusive InvisiMole cyberespionage group, revealing a complicated multi-stage format that relies on vulnerable legitimate tools, target-specific encryption of payloads, and stealthy communication.
InvisiMole gets access to the target network through
, a threat actor linked to Russia that runs reconnaissance operations and identifies valuable systems.
Both attack groups have been operational for at least seven years ...
While Microsoft issued patches for the infamous BlueKeep vulnerability almost a year ago, researchers warn that almost half of connected medical devices in hospitals run on outdated Windows versions that are still vulnerable to the remote desktop protocol (RDP) flaw.
Researchers said they found that 22 percent of a typical hospital’s Windows devices were vulnerable to BlueKeep. Even worse, the number of connected medical devices running Windows that are vulnerable to BlueKeep is consider...
A new scanning tool is now available for checking if your computer is vulnerable to the BlueKeep security issue in Windows Remote Desktop Services.
Despite Microsoft rolling out a patch in mid-May, there are tens of thousands of devices exposing a Remote Desktop Protocol (RDP) service to the public internet.
(CVE-2019-0708) is a vulnerability that leads to remote code execution and could be leveraged to spread malware across connected systems without any interaction from the user.<...
While the BlueKeep (CVE-2019-0708) vulnerability has not, to date, caused widespread havoc, and we will be looking at the reasons why in this post, it is still very early in its exploitation life cycle. The fact remains that many systems are still not patched, and a thoroughly wormable version of the exploit might still be found. Because of these factors, ESET has created a free utility to check if a system is vulnerable.
Sometimes, you have to say something about things that “go without...
These statistics are based on detection verdicts of Kaspersky products received from users who consented to provide statistical data.
According to Kaspersky Security Network:
In Q3 2019, we discovered an extremely unpleasant incident with the popular CamScanner app on Google Play. The new version of the app contained an ad library inside with the Trojan dropper Necro built in. Judging by the reviews on Google Play, the dropper’s task was to activate paid subscriptions, although it ...
Windows 10, version 1803, also known as the April 2018 Update, has now reached end of service for Home, Pro, Pro Education, and Pro for Workstations editions, and will no longer receive any future quality and security updates.
As Microsoft said in October when it
before end of support, customers who want to continue receiving quality updates should update to the latest version of Windows.
Redmond also
that an automatic feature update to May 2019 Update will be ini...
Admins snoozing on patching despite reports of active attacks
The flurry of reports in recent weeks of in-the-wild exploits for the Windows RDP 'BlueKeep' security flaw had little impact among those responsible for patching, it seems.
This according to researchers with the SANS Institute, who have been tracking the rate of patching for the high-profile vulnerability over the last several months and, via Shodan, monitoring the number of internet-facing machines that have the remote desktop flaw exposed.
First disclosed in May of this year, BlueK...
Ever since it was discovered six months ago, the BlueKeep vulnerability has had (not only) the cybersecurity community concerned about impending WannaCryptor-style attacks. Earlier in November, Microsoft together with security researchers Kevin Beaumont and Marcus Hutchins shed light on the first malicious campaign that was aimed at exploiting the critical remote code execution (RCE) flaw. The attacks targeted unpatched vulnerable Windows systems to install cryptocurrency mining software, but we...
Admins snoozing on fixes despite reports of active attacks With more hints dropped online on how to exploit BlueKeep, you've patched that Windows RDP flaw, right?
The flurry of alerts in recent weeks of in-the-wild exploitation of the Windows RDP BlueKeep security flaw did little to change the rate at which people patched their machines, it seems.
This is according to eggheads at the SANS Institute, who have been tracking the rate of patching for the high-profile vulnerability over the last several months and, via Shodan, monitoring the number of internet-facing machines that have the remote desktop flaw exposed.
First disclosed in May of this...
The Microsoft Defender ATP Research Team says that the
are connected with a coin mining campaign from September that used the same command-and-control (C2) infrastructure.
BlueKeep is an unauthenticated remote code execution vulnerability affecting Remote Desktop Services on Windows 7, Windows Server 2008, and Windows Server 2008 R2, and
.
The Microsoft Defender ATP Research Team that unearthed this new info urges users to immediately patch Windows systems vulnerabl...
The BlueKeep remote code execution vulnerability in the Windows Remote Desktop Services is currently exploited in the wild. Vulnerable machines exposed to the web are apparently compromised for cryptocurrency mining purposes.
The attempts have been recorded by honeypots that expose only port 3389, specific for remote assistance connections via the Remote Desktop Protocol (RDP).
Security researcher Kevin Beaumont noticed on Saturday that multiple honeypots in his EternalPot RDP honeyp...
The BlueKeep remote code execution vulnerability in the Windows Remote Desktop Services is currently exploited in the wild. Vulnerable machines exposed to the web are apparently compromised for cryptocurrency mining purposes.
The attempts have been recorded by honeypots that expose only port 3389, specific for remote assistance connections via the Remote Desktop Protocol (RDP).
Security researcher Kevin Beaumont noticed on Saturday that multiple honeypots in his EternalPot RDP honeyp...
Windows 10 version 1703, otherwise known as the Creators Update, has now reached end of service and will no longer receive any future security or quality updates.
When a Windows version becomes out of service, Microsoft will no longer fix any bugs found in that version or release security updates that fix new vulnerabilities that are discovered.
As of October 8th, 2019, users running consumer, enterprise, and education versions of Windows 10 1703 are required to upgrade to Windows...
Two elevation-of-privilege vulnerabilities that have been exploited in the wild as zero-days are at the heart of September’s Patch Tuesday update from Microsoft.
The two EoP vulnerabilities under active attack consist of CVE-2019-1214, which exists in the Windows Common Log File System (CLFS) Driver; and CVE-2019-1215, which impacts the Winsock IFS Driver (ws2ifsl.sys).
“Both flaws exist due to improper handling of objects in memory by the respective drivers,” said Satnam Naran...
Patch management is a thankless job. Data shows, despite best efforts, that 80 percent of enterprise applications have at least one unpatched vulnerability in them, according research by Veracode.
It is not for lack of trying that vulnerabilities persist. Last year 16,500 vulnerabilities were reported, making patching each one nearly an impossible task for any one company. Perhaps it shouldn’t be a surprise that Windows patching times appear to be moving in the wrong direction. According...
These statistics are based on detection verdicts of Kaspersky products received from users who consented to provide statistical data.
According to Kaspersky Security Network,
Q2 2019 will be remembered for several events.
First, we uncovered a large-scale financial threat by the name of Riltok, which targeted clients of not only major Russian banks, but some foreign ones too.
Second, we detected the new Trojan.AndroidOS.MobOk malware, tasked with stealing money from mobil...
For two years, the Global Research and Analysis Team (GReAT) at Kaspersky has been publishing quarterly summaries of advanced persistent threat (APT) activity. The summaries are based on our threat intelligence research and provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports. They aim to highlight the significant events and findings that we feel people should be aware of.
This is our latest installment, focusing on activiti...
The nightmare vision of a “mega-worm” global BlueKeep infection could be closer to becoming reality as working exploits are now becoming available to the public, and there’s evidence that adversaries are actively scanning for the vulnerability.
Researchers weighed in with Threatpost about how enterprises can thwart the critical Windows remote code-execution (RCE) vulnerability, even if immediate patching is too large an ask.
By way of background, the BlueKeep vulnerability (CVE...
Someone just revealed the tricky kernel heap spray part
Vital clues on how to exploit the notorious Windows RDP bug, aka CVE-2019-0708 aka BlueKeep, and hijack vulnerable boxes, emerged online this week.
The growing number of hints can be used by folks to develop working code that attacks Microsoft's Remote Desktop Services software, on Windows XP through to Server 2008, and gains kernel-level code execution without any authentication or user interaction. You just need to be able to reach a vulnerable RDP server across the network or internet.<...
Someone just revealed the tricky kernel heap spray part Rust in peace: Memory bugs in C and C++ code cause security issues so Microsoft is considering alternatives once again
Vital clues on how to exploit the notorious Windows RDP bug, aka CVE-2019-0708 aka BlueKeep, and hijack vulnerable boxes, emerged online this week.
The growing number of hints can be used by folks to develop working code that attacks Microsoft's Remote Desktop Services software, on Windows XP through to Server 2008, and gains kernel-level code execution without any authentication or user interaction. You just need to be able to reach a vulnerable RDP server across the network or internet.<...
As of early July, more than 805,000 internet-facing systems remained susceptible to the BlueKeep security vulnerability, the news of which spooked the internet two months ago and prompted a flurry of alerts urging users and organizations to patch the critical flaw post-haste.
The tally, released today by cybersecurity ratings company BitSight, also shows that the number of vulnerable public-facing machines fell by 17 percent between May 31st and July 2nd, after the firm’s previous estima...
For the past two months, security researchers have been sounding the alarm about BlueKeep, a critical remote code-execution vulnerability in Microsoft Windows that researchers said could lead to a “mega-worm” global infection. As of July 2, approximately 805,665 systems remain online that are vulnerable to BlueKeep, according to a status update.
The number of susceptible systems represents a decrease of 17.18 percent (167,164 systems) compared to May 31, including 92,082 systems which ...
The multiple warnings about patching Windows systems against the BlueKeep vulnerability (CVE-2019-0708) have not gone unheeded. Administrators of enterprise networks listened and updated most of the machines affected by the issue.
BlueKeep exists in the Remote Desktop Protocol (RDP) on older Windows releases that are still supported (Windows 7, Windows Server 2008 R2, and Windows Server 2008) as well as on OS versions that reached end-of-life status (Windows XP, Windows Server 2003).
...
The Department of Homeland Security has confirmed it has developed a working exploit for the “wormable” BlueKeep vulnerability. The agency issued an alert on Monday urging Windows users to update their machines as soon as possible.
The alert heightens concerns that malicious actors could soon also develop their own exploits of the BlueKeep flaw. The critical remote code execution vulnerability (CVE-2019-0708), though fixed during Microsoft’s May Patch Tuesday Security Bulletin, cont...
While everyone’s talking about the BlueKeep Mega-Worm, this is not the main monster to fear, according to recent web attack activity. Rather, a researcher is warning that the GoldBrute botnet poses the greatest threat to Windows systems right now.
In the past few days, GoldBrute (named after the Java class it uses) has attempted to brute-force Remote Desktop Protocol (RDP) connections for 1.5 million Windows systems and counting, according to Morphus Labs chief research officer Renato Ma...
The United States’ National Security Agency (NSA) has issued a rare alert urging Windows users and administrators to waste no time in patching the critical ‘BlueKeep’ security flaw in older Windows systems.
“This is the type of vulnerability that malicious cyber actors frequently exploit through the use of software code that specifically targets the vulnerability,” reads the NSA’s advisory.
It also specifically highlights BlueKeep’s ‘wormable’ nature and draws paral...
A researcher has created a proof-of-concept Metasploit module for the critical BlueKeep vulnerability, which successfully demonstrates how to achieve complete takeover of a target Windows machine.
Reverse engineer Zǝɹosum0x0 tweeted about his success on Tuesday, noting that he plans to keep the module private given the danger that a working exploit could pose to the vast swathe of unpatched systems out there. He also released a video showing a remote code-execution (RCE) exploit working ...
A researcher has created a module for the Metasploit penetration testing framework that exploits the critical BlueKeep vulnerability on vulnerable Windows XP, 7, and Server 2008 machines to achieve remote code execution.
BlueKeep is a critical flaw in Remote Desktop Services that affects Windows 7 and Server 2008, as well as the unsupported Windows XP and Server 2003.
It is tracked as CVE-2019-0708 and
for it on May 14. A
, too, for systems that cannot take a break to...
A new zero-day vulnerability has been disclosed that could allow attackers to hijack existing Remote Desktop Services sessions in order to gain access to a computer.
The flaw can be exploited to bypass the lock screen of a Windows machine, even when two-factor authentication (2FA) mechanisms such as Duo Security MFA are used. Other login banners an organization may set up are also bypassed.
The issue is now tracked as CVE-2019-9510 and is described as an authentication bypass using a...
If you haven't patched CVE-2019-0708 aka BlueKeep, then, well, now would be a good time
The critical Windows Remote Desktop flaw that emerged this month may have set the stage for the worst malware attack in years.
The vulnerability, designated CVE-2019-0708 and dubbed BlueKeep, can be exploited by miscreants to execute malicious code and install malware on vulnerable machines without the need for any user authentication: a hacker simply has to be able to reach the box across the internet or network in order to commandeer it.
It is said to be a "wormable" security hole ...
One million devices are still vulnerable to BlueKeep, a critical Microsoft bug with “wormable” capabilities, almost two weeks after a patch was released.
The flaw (CVE-2019-0708) was fixed during Microsoft’s May Patch Tuesday Security Bulletin earlier this month. System administrators were urged to immediately deploy fixes as the flaw could pave the way for a similar rapidly-propogating attack on the scale of WannaCry.
Despite that, researchers on Tuesday warned that one milli...
If you haven't patched CVE-2019-0708 aka BlueKeep, then, well, now would be a good time Your specialist subject? The bleedin' obvious... Feds warn of RDP woe
The critical Windows Remote Desktop flaw that emerged this month may have set the stage for the worst malware attack in years.
The vulnerability, designated CVE-2019-0708 and dubbed BlueKeep, can be exploited by miscreants to execute malicious code and install malware on vulnerable machines without the need for any user authentication: a hacker simply has to be able to reach the box across the internet or network in order to commandeer it.
It is said to be a "wormable" security hole ...
The 0patch platform issued a fix for the Remote Desktop Services RCE vulnerability known as BlueKeep, in the form of a 22 instructions micropatch which can be used to protect always-on servers against exploitation attempts.
The critical software flaw tracked as
and present in both in-support (Windows Server 2008 and Window 7) and out-of-support (Windows 2003 and Window XP) was already patched by Microsoft on May 14, after the vulnerability was disclosed.
However, unlike Mi...
Remember the panic that hit organizations around the world on May 12th, 2017 when machine after machine displayed the WannaCryptor ransom screen? Well, we might have a similar incident on our hands in the coming days, weeks or months if companies don’t update or otherwise protect their older Windows systems right away. The reason is BlueKeep, a ‘wormable’ critical Remote Code Execution (RCE) vulnerability in Remote Desktop Services that could soon become the new go-to vector for spreading ...
A proof-of-concept remote code execution (RCE) exploit for the wormable BlueKeep vulnerability tracked as CVE-2019-0708 has been demoed by security researchers from McAfee Labs.
on May 14 to patch the critical vulnerability on both out-of-support and in-support Windows version,
the bug as capable to allow malware to self-propagate between vulnerable Windows machines, just "as the WannaCry malware spread across the globe in 2017."
The McAfee Labs research team publishe...
Yes, the one with the critical security fixes
Brit security software slinger Sophos has advised its customers to uninstall Microsoft's most recent Patch Tuesday run – the same patches that protect servers against the latest Intel cockups.
In an advisory note published over the weekend, Sophos admitted the latest batch of Windows updates are causing the machines of some people using its AV wares to hang on boot, getting stuck while displaying the line "Configuring 30%".
"We have currently only identified the issue on some custo...
Yes, the one with the critical security fixes
Brit security software slinger Sophos has advised its customers to uninstall Microsoft's most recent Patch Tuesday run – the same patches that protect PCs and servers against the latest Intel cockups.
In an advisory note published over the weekend, Sophos admitted the latest batch of Windows updates are causing the machines of some people using its AV wares to hang on boot, getting stuck while displaying the line "Configuring 30%".
"We have currently only identified the issue on so...
Using information from their research and from public scripts, security professionals at NCC Group have created a network detection rule for CVE-2019-0708. After testing with Suricata IDS/IPS, NCC Group made it
.
Security researchers have created exploits for the remote code execution vulnerability in Microsoft's Remote Desktop Services, tracked as CVE-2019-0708 and dubbed BlueKeep, and hackers may not be far behind.
While the vulnerability inspired some playful users to cr...
Plus plenty of other fixes from Redmond and Adobe – and special guest star Citrix
Patch Tuesday It’s that time of the month again, and Microsoft has released a bumper bundle of security fixes for Patch Tuesday, including one for out-of-support operating systems Windows XP and Server 2003.
Usually support for such aging operating systems costs an arm and a leg, though Redmond has released a freebie because of the serious nature of the critical flaw, assigned CVE-2019-0708, in Remote Desktop Services, or Terminal Services as it was. The vulnerability allows remote code ...
Plus plenty of other fixes from Redmond and Adobe – and special guest star Citrix Buffer the Intel flayer: Chipzilla, Microsoft, Linux world, etc emit fixes for yet more data-leaking processor flaws
Patch Tuesday It’s that time of the month again, and Microsoft has released a bumper bundle of security fixes for Patch Tuesday, including one for out-of-support operating systems Windows XP and Server 2003.
Usually support for such aging operating systems costs an arm and a leg, though Redmond has released a freebie because of the serious nature of the critical flaw, assigned CVE-2019-0708, in Remote Desktop Services, or Terminal Services as it was. The vulnerability allows remote code ...
Microsoft has released a patch for an elevation-of-privileges vulnerability rated important, which is being exploited in the wild.
The bug fix is part of Microsoft’s May Patch Tuesday Security Bulletin. It’s tied to the Windows Error Reporting feature and is being abused by attackers who have gained local access to affected PCs. They are able to trigger arbitrary code-execution in kernel mode — resulting in a complete system compromise.
“They would need to first gain access t...
Microsoft patched today a critical
found in the Remote Desktop Services (RDS) platform which can allow malicious actors to create malware designed to propagate between computers running vulnerable RDS installations.
According to Microsoft's Windows IT Pro Center, "Remote Desktop Services (RDS) is the platform of choice for building virtualization solutions for every end customer need, including delivering individual virtualized applications, providing secure mobile and remote d...
Vulmon