BlueKeep exploit is weaponized: Check Point customers remain protected

The notorious BlueKeep vulnerability has been escalated from a theoretical, critical vulnerability, to an immediate, critical threat.

First reported in May 2019, Bluekeep (CVE-2019-070) was reported as a critical security vulnerability by Microsoft. The vulnerability exists in the Remote Desktop Protocol (RDP) and allows for Remote Code Execution (RCE). Check Point, recognizing the criticality of this vulnerability issued both IPS and Endpoint protections immediately following the announcement.

In fact, SandBlast Agent, Check Point’s endpoint solution, was the first product to protect against this vulnerability in May. For about four months Check Point was the only Endpoint vendor to protect against this vulnerability.

While BlueKeep’s devastating potential was known since May 2019, it was a theoretical threat, as there was no working exploit code. That code was released into the wild when the open source Metasploit penetration testing framework released a Bluekeep exploit module on September 6. This module allows to leverage the vulnerability for Remote Code Execution (RCE) based attacks.

Unfortunately, the Metasploit toolset is used by both security practitioners and cybercriminals alike. By publishing the BlueKeep exploit code hackers were essentially provided with weaponized, working code that enables the creation of a dangerous worm.

How serious is the threat? If a single unpatched Windows machine with network admin access is running on a network, the attacker may have access to all in-use credentials to all systems on the network, whether they are running Windows, Linux, MacOS or NetBIOS. In effect, this scenario means that a single, infected Windows machine can completely own a network, even if all of the other machines on this network are fully patched and protected!

We expect to see an outbreak of 5th generation cyberattacks based on this published exploit. At least that was the pattern after the  EternalBlue exploit was leaked by “The Shadow Brokers” in April 14, 2017, which led to the spread of the devastating WannaCry and NotPetya attacks in May and June 2017, two of the most devastating cyberattacks in history.

Check Point’s BlueKeep protections for network and endpoint are based on the IPS and endpoint security products released several months ago. These products are designed to protect organizations against the BlueKeep vulnerability and new weaponized versions of this attack.

Watch a video demo of how the weaponized Bluekeep code works and how it is blocked by SandBlast Agent, Check Point’s endpoint security solution.

In short, Check Point customers who have implemented these protections remain protected.

We recommend all customers to take immediate action to make sure they are protected:

  • Install the Microsoft patch on all vulnerable Windows systems
  • Enable Check Point’s IPS network protection for BlueKeep. Those will keep all your in-perimeter machines fully protected.
  • Implement Check Point’s SandBlast Agent endpoint security protection for BlueKeep. This will make sure that any off-perimeter machines are also protected.
    • SandBlast Agent was the first endpoint security solution to protect against BlueKeep and remained so for over 4 month!
    • SandBlast Agent can even detect BlueKeep based scans/attacks if the machine is patched and alert on it!