Halloween Exploits Scare: BlueKeep, Chrome’s Zero-Days in the Wild

Researchers found vulnerabilities being exploited in the wild between the end of October and the first days of November. On October 31, Chrome posted that a stable channel security update for Windows, Mac, and Linux versions of Chrome will be rolled out in the next few days in order to fix two use-after-free flaws in audio and PDFium, assigned CVE-2019-13720 and CVE-2019-13721 respectively. The U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has released a statement advising users and administrators to apply the updates. Meanwhile, security researcher Marcus Hutchins aka MalwareTech reported that BlueKeep (CVE-2019-0708) was being actively used as part of a hacking campaign to install cryptocurrency miner malware in unpatched systems. The campaign-related events were first noticed by Kevin Beaumont after his honeypot network crashed.

[Read: European international airport workstations infected with persistent anti-coinminer malware]

The Chrome flaws were reported to the Google team early October and were rated as high-severity vulnerabilities. Details on the CVE-2019-13720 exploit were released by Kaspersky researchers Anton Ivanov and Alexey Kulaev, who noted that the vulnerability can be used to cause a memory corruption flaw to escalate privileges for remote code execution attacks. The attack was first observed as a malicious JavaScript code injected in a Korean-language news portal using the watering hole technique. On the other hand, while more details have yet to be released on CVE-2019-13721, Chrome cites the flaw to affect the PDFium library, which is used by developers in generating, searching, and viewing PDF files via an open-source library. Google has released Chrome version 78.0.3904.87 to address the issue.

[Read: Security 101: Zero-day vulnerabilities and exploits]

As November rolled in, initial reports showed a number of unpatched legacy systems becoming the targets of a campaign in exploiting the Microsoft Remote Desktop Protocol (RDP) flaw BlueKeep. Despite security updates from Microsoft in May and a warning issued by the U.S. National Security Agency (NSA) in June, it is estimated that more than 500,000 systems remain unprotected against CVE-2019-0708, with exposed RDP ports being abused to install a malicious Monero miner. Tweets by Hutchins suggested that specific honeypots were targeted, and later Beaumont noted that activity related to the exploit has ceased. However, incidents like these should be taken seriously — the activity can be seen as cybercriminals testing their codes currently in development. While this recent instance of BlueKeep being used does not have self-propagation, BlueKeep is a wormable flaw. It can install more malicious software once successfully exploited, and researchers warn that it can also be used to spread to other internet-connected devices even without the necessary credentials.

As reported in the Trend Micro midyear security roundup, malicious actors and persistent groups will find these security gaps in organizations’ systems as leverage for attacks and illicit profit. Make sure to reduce the attack surface that may exploit these vulnerabilities by following these best practices:

• Keep your systems updated with the latest patches, and employ virtual patching or available hotfixes from legitimate vendors for legacy or end-of-life systems.
• Close, restrict, or secure unnecessary ports or remote desktop services to minimize the attack surface for unauthorized users.
• Employ the principle of least privilege by restricting permissions, access to tools, or programming techniques that can be used for intrusions. Enforce security mechanisms such as encryption, lockout policies, or other role-based access controls to provide an additional layer of security against attacks that involve compromising remote desktops.

[InfoSec Guide: Remote Desktop Protocol (RDP)]

In addition, threats exploiting BlueKeep can be mitigated by the Trend Micro™ Deep Security™ and Vulnerability Protection solutions, which protect systems and users from threats targeting CVE-2019-0708 via this Deep Packet Inspection (DPI) rule:

• 1009749 - Microsoft Windows Remote Desktop Services Remote Code Execution Vulnerability

Trend Micro TippingPoint® customers are protected from threats and attacks that may exploit CVE-2019-0708 via this MainlineDV filter:

• 35296: RDP: Microsoft Remote Desktop Services Negotiation Request Without CredSSP