Friday, January 22, 00:38
Home security Bluekeep exploit code released

Bluekeep exploit code released

  • BlueKeep is a wormable security bug in Microsoft's Remote Desktop Services that allows hackers to remotely control vulnerable systems.
  • Metasploit developers have released the first operating prototype of exploit code with payload execution capabilities.
  • Bitdefender looks at recently released Bluekeep exploit code and Introspection Hypervisor prevents this attack

Last Friday, security investigators working on the project Metasploit released the first operating operating code to achieve code execution against systems vulnerable to BlueKeep. This high-impact vulnerability that affects Remote Desktop Services Microsoft was first listed as CVE-2019-0708 in May of 2019. On May 14, Microsoft began releasing fixes for affected Windows operating systems.

The exploit is not yet 100% reliable in remote code execution. Targeted systems may encounter a BSOD during payload execution. However, it is reliable enough to confirm that the core protection of Bitdefender Hypervisor Introspection (HVI) released by 2017 essentially defeated BlueKeep. At that time, vulnerability and exploitation were not known to the public and would have been prevented as 0-day.


Why is BlueKeep so dangerous?

BlueKeep is one of those serious security flaws that are considered 'wormable'. These vulnerabilities are usually bugs in widely used services operating system that are usually exposed to the outside world by system administrators and are allowed by security teams. Hackers want to exploit vulnerabilities found in widely exposed services to maximize and automate the way they attack. To make matters worse, successful attacks gain complete control of the system, as the exploited RDP component is a Windows kernel driver.

There have been several high profile aggressive attacks in recent years. The WannaCry is a fairly recent high profile worm attack that exploits EternalBlue vulnerability to spread ransomware. Months before visiting WannaCry, we wrote about how the Bitdefender Hypervisor introspection outperformed the EternalBlue exploit.

How does Hypervisor Introspection prevent exploitation?

Bitdefender's Introspection Hypervisor Introspection (HVI) is a state-of-the-art anti-exploitation technology that uses Virtual Machine Introspection APIs, built into modern hypervisors, to monitor the entire working memory footprint VM. This allows technology to focus on identifying attack techniques during memory operation, rather than searching for previous behaviors. Hypervisor Introspection requires no prior knowledge of the vulnerability or where it is, and requires no prior knowledge of the exploit code.

Kernel exploits like BlueKeep (and EternalBlue) require careful action in order to gain access to API operating system. When the original execution code is received, the exploit cannot do much without calling the operating system functions, as it is executed in an arbitrary environment that will inactivate or crash the system. To "migrate" to a known environment, malicious code will try to block the OS SYSCALL operator. Hypervisor Introspection monitors the core structures of the operating system, including specific model specifications CPU, preventing malicious changes. In this way, Introspection Hypervisor provides general protection to entire categories of attacks based on the same exploitation technique.

Hypervisor Introspection is available today for Citrix Hypervisor environments and as part of a technical preview program for organizations running the KVM hypervisor.


Please enter your comment!
Please enter your name here

Teo Ehc
Teo Ehc
Be the limited edition.


Mac: How to see which model you have and when it was released

When you need support for your Mac - or want to install some kind of upgrade - you usually need to know the exact ...

Bill Gates: Will he work with Biden on COVID-19 / climate change?

Microsoft co-founder Bill Gates said on Twitter that he is looking forward to working with the new US President, Joe Biden, and ...

What are the rumors circulating about the iPhone 13?

Apple iPhone 13 will have a redesigned Face ID system that will have a smaller notch at the top of the screen, ...

Biden: How was the political transition in the US captured on social media?

As Joe Biden was sworn in as President of the United States, this important political transition was captured on popular social media. On January 20, ...

CentOS ceases to be supported but RHEL is offered for free

Last month, Red Hat caused a great deal of concern in the Linux world when it announced the discontinuation of CentOS Linux.

Microsoft Office 365 employee passwords leaked online!

A new large-scale phishing campaign targeting global organizations has been found to bypass Microsoft Office 365 Advanced Threat Protection (ATP) and ...

COSMOTE and Microsoft provide new cloud solutions for businesses

COSMOTE and Microsoft expand their cooperation, offering even more advanced and high quality cloud solutions, in large and small ...

Cyber ​​attacks in Eastern Europe are on the rise!

The cyber-attacks that have taken place in many US government agencies and companies in recent months have caused concern in the developing countries of ...

Tesla reduces the prices of the Model 3 in Europe

Tesla has reduced the prices of the Model 3 in many European markets, which reductions could be partly linked ...

iOS, Android, XBox users in the crosshairs of a new malvertising campaign

Recently a new malvertising campaign was discovered that targets users of mobile and other connected devices and uses effective ...