Every protocol has its day in the dubious limelight of hacker’s attention and it looks like RDP’s time has finally arrived. It was overdue, actually. Remote Desktop Protocol (RDP) is a functionally rich protocol with lots of complexity that inevitably translates to attack surface. Moreover, RDP allows a lot of communication and interaction between the client and server prior to the user actually being authenticated. And that is exactly what BlueKeep exploited when it burst upon the scene earlier this summer.
RDP presents a remote GUI logon screen in which the user can enter their username and password. That in itself is a remote desktop session (albeit limited of course). It’s during the setup of that session that BlueKeep attempts to write arbitrary code into the kernel memory of the server and then trick the server into executing it.
That shell code runs in the highly privileged context of the kernel itself, which means it can do anything from there because the attacker is the OS at that point.
The attack is complicated to pull off, but there are no particular prerequisites other than an unpatched Windows 7 or 2008 R2 system with RDP (usually TCP 3389) accessible to a remote attacker. There are still many such systems out there – by one count almost a million.
There’s plenty to be learned from, and to do about BlueKeep itself, which we will explore in this webinar. Including:
- More technical details on BlueKeep
- Patching
- How the risk of a given vulnerability changes over time
- Why Network Level Authentication (NLA) is so important
- Network level detection depending on decryption
- Why Multi-Factor-Authentication isn’t a silver bullet
But BlueKeep is far from the end of story. We’ve already seen DejaBlue, which is a related vulnerability that impacts newer versions of Windows including Windows 10 and 2019. We’ll talk about DejaBlue, how it’s different than BlueKeep both in its origin and how it works.
We’ll also demonstrate an attack with BlueKeep using Metasploit’s initial exploit module for BlueKeep and show you different ways it can be a valuable tool to defenders.
I will cover the major ways to protect against BlueKeep and DejaBlue beyond just patching including:
- Privileged Session Proxies
- VPN
- Remote Desktop Gateway
- Network Level Authentication
- Simple IP restrictions
- Monitoring
Our sponsor is Rapid7, who will show how their unique vulnerability risk management solution, InsightVM, identifies vulnerable systems and helps you automatically identify assets that are connected to the public internet with Attack Surface Monitoring with Project Sonar.
Please join us for this real training for free event.