Castle keep in blue
Published 03 Jul 2019

On the 17th May, 2019 the National Cyber Security Centre (NCSC), the public face of the Government Communications Headquarters (GCHQ), went public with the vulnerability tagged as CVE-2019-0708.

The three-letter acronym CVE stands for "common vulnerabilities and exposures". The CVE scheme is a cataloguing system for vulnerabilities that could be exploited by cybercriminals. 

This vulnerability had been discovered by the NCSC and reported to Microsoft on the 14th of May, 2019. When Microsoft produced a set of security patches and were ready to release them, the NCSC made the announcement that the vulnerability existed.

That's all standard operating procedure. What made this particularly noteworthy was Microsoft's response.

They took the (almost) unheard of step of producing patches for out-of-service operating systems that had gone end of life. That is something that Microsoft has only ever done on a handful of occasions, such as the patching of Windows XP during the WannaCry outbreak back in 2017.

When it does happen it flags up that something out of the ordinary is unfolding. In the case of CVE-2019-0708, what was going on was the scramble to prevent a massive attack on servers running the Remote Desktop Protocol (RDP).This protocol allows people to access and to control Windows machines over the internet.

There are literally millions of servers with RDP running on them. Because of the existence of the CVE-2019-0708 vulnerability, also known as BlueKeep, there is a potential backdoor into the internal network of any organisation running RDP - if they haven't patched their computers. 

The BlueKeep vulnerability is "wormable", allowing the attack code to replicate itself and spread, whilst giving the attackers the ability to execute programs on the compromised machines. And all accomplished without a username or password.

But there is a difference between a vulnerability and an exploit. A vulnerability is a chink in your armour. It's a flaw that could possibly be leveraged by cybercriminals. An exploit is a proven case of using that flaw to actually breach a network.

Some vulnerabilities are so difficult to put into practice that although they are theoretically possible, in practical terms they might as well be considered impossible. 

Microsoft declared this vulnerability to be beyond the capabilities of most hackers. It was doubted whether even the most skilled hackers would be able to create workable exploits in the window between the release of the patches and the time people patched their servers. There was even a small hope that it would prove to be too difficult to actually exploit at all. That was quickly proven wrong.

A small number of security research teams have demonstrated proof-of-concept code (PoC) that exploits the BlueKeep vulnerability. The earliest announcement was on the 1st July, 2019.

How have the bad guys fared? The source-code hosting site Github has page after page of examples of PoC code for BlueKeep exploitation. Many of which were posted in late May. These PoCs are freely available and anyone can download them and start poking around inside them. It's no surprise to see the threat actors are one step ahead of the security world.

  • Discovered and reported to Microsoft: 14th May, 2019
  • Announced to the public, patches available: 17th May, 2019
  • First PoC by threat actors: 28th May, 2019
  • First PoC by Security Researchers: 1st July, 2019

Those who are smart enough to exploit the vulnerability have made the means to do so freely available to anyone else. As we have seen so often in the past, you don't need to be an elite hacker. You just need to know where to look for the components so that you can assemble a toolbox of exploits. History has shown that people are slow to patch their servers, if they even do it at all. Those who do not patch in a timely fashion are leaving themselves exposed to risk and vulnerable to attack.

The part of the timeline I can't pin down for certain is when you patched your systems. We know our customers are safe. But for everyone else, it always comes down to people. The vulnerabilities may be in the technology, but the choice to patch is always a human one.

We make the right decisions for our customers. You can make the right decision by joining them.

If you don't know for certain that you're as safe as you can be, get in touch using our Contact Us page.

Attend a Free 90 minute Cyber Secur...

BlueKeep - The Timeline of a Vulner...

What is CyberEssentials?