A remote desktop exploit in Windows known as BlueKeep is no joke, and to prove it, security researchers at Sophos have created a proof-of-concept demonstration showing how easy it would be for an unpatched RDP (Remote Desktop Protocol) server to be compromised. The researchers hope that the demonstration will essentially scare companies into patching Windows.
BlueKeep is viewed as especially dangerous because it affects multiple different versions of Windows and is wormable, meaning it can rapidly spread to other vulnerable systems in a network in similar fashion to the WannaCry malware attacks that wreaked havoc a couple of years ago. Not to be taken lightly, BlueKeep has drawn the attention of both the National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA).
"CISA encourages users and administrators review the Microsoft Security Advisory and the Microsoft Customer Guidance for CVE-2019-0708 and apply the appropriate mitigation measures as soon as possible," CISA stated in an alert last month.
Now Sophos is doubling down on the sentiment by Homeland Security. BlueKeep takes advantage of a vulnerability in RDP, which could allow an attacker to send malformed packets to a system to perform remote code execution. Sophos created a proof-of-concept that shows how frighteningly easy and effective it can be.
"The exploit works in a completely fileless fashion, providing full control of a remote system without having to deploy any malware. It also doesn’t require an active session on the target," Sophos explains.
It took some serious reverse engineering of the patch that Microsoft released for Sophos to create its demo. The company said it will not be releasing the proof-of-concept out of an abundance of caution, but hopes that it will encourage business to patch their Windows machines ASAP.