- BlueKeep is a wormable security bug in Microsoft's Remote Desktop Services that allows hackers to remotely control vulnerable systems.
- Metasploit developers have released the first operating prototype of exploit code with payload execution capabilities.
- Bitdefender looks at recently released Bluekeep exploit code and Introspection Hypervisor prevents this attack
Last Friday, security investigators working on the project Metasploit released the first operating operating code to achieve code execution against systems vulnerable to BlueKeep. This high-impact vulnerability that affects Remote Desktop Services Microsoft products was first listed as CVE-2019-0708 in May of 2019. On May 14, Microsoft began releasing fixes for affected Windows operating systems.
The exploit is not yet 100% reliable in remote code execution. Targeted systems may encounter a BSOD during payload execution. However, it is reliable enough to confirm that the core protection of Bitdefender Hypervisor Introspection (HVI) released by 2017 essentially defeated BlueKeep. At that time, vulnerability and exploitation were not known to the public and would have been prevented as 0-day.
Why is BlueKeep so dangerous?
BlueKeep is one of those serious security flaws that are considered 'wormable'. These vulnerabilities are usually bugs in widely used services operating system that are usually exposed to the outside world by system administrators and are allowed by security teams. Hackers want to exploit vulnerabilities found in widely exposed services to maximize and automate the way they attack. To make matters worse, successful attacks gain complete control of the system, as the exploited RDP component is a Windows kernel driver.
There have been several high profile aggressive attacks in recent years. The WannaCry is a fairly recent high profile worm attack that exploits EternalBlue vulnerability to spread ransomware. Months before visiting WannaCry, we wrote about how the Bitdefender Hypervisor introspection outperformed the EternalBlue exploit.
How does Hypervisor Introspection prevent exploitation?
Bitdefender's Introspection Hypervisor Introspection (HVI) is a state-of-the-art anti-exploitation technology that uses Virtual Machine Introspection APIs, built into modern hypervisors, to monitor the entire working memory footprint VM. This allows technology to focus on identifying attack techniques during memory operation, rather than searching for previous behaviors. Hypervisor Introspection requires no prior knowledge of the vulnerability or where it is, and requires no prior knowledge of the exploit code.
Kernel exploits like BlueKeep (and EternalBlue) require careful action in order to gain access to API operating system. When the original execution code is received, the exploit cannot do much without calling the operating system functions, as it is executed in an arbitrary environment that will inactivate or crash the system. To "migrate" to a known environment, malicious code will try to block the OS SYSCALL operator. Hypervisor Introspection monitors the core structures of the operating system, including specific model specifications CPU, preventing malicious changes. In this way, Introspection Hypervisor provides general protection to entire categories of attacks based on the same exploitation technique.
Hypervisor Introspection is available today for Citrix Hypervisor environments and as part of a technical preview program for organizations running the KVM hypervisor.