Jump to content
Sign in to follow this  

BlueKeep exploit is weaponized: Check Point customers remain protected

Recommended Posts


The notorious BlueKeep vulnerability has been escalated from a theoretical, critical vulnerability, to an immediate, critical threat.

First reported in May 2019, Bluekeep (CVE-2019-070) was reported as a critical security vulnerability by Microsoft. The vulnerability exists in the Remote Desktop Protocol (RDP) and allows for Remote Code Execution (RCE). Check Point, recognizing the criticality of this vulnerability issued both IPS and Endpoint protections immediately following the announcement.

In fact, SandBlast Agent, Check Point’s endpoint solution, was the first product to protect against this vulnerability in May. For about four months Check Point was the only Endpoint vendor to protect against this vulnerability.

While BlueKeep’s devastating potential was known since May 2019, it was a theoretical threat, as there was no working exploit code. That code was released into the wild when the open source Metasploit penetration testing framework released a Bluekeep exploit module on September 6. This module allows to leverage the vulnerability for Remote Code Execution (RCE) based attacks.

Unfortunately, the Metasploit toolset is used by both security practitioners and cybercriminals alike. By publishing the BlueKeep exploit code hackers were essentially provided with weaponized, working code that enables the creation of a dangerous worm.

How serious is the threat? If a single unpatched Windows machine with network admin access is running on a network, the attacker may have access to all in-use credentials to all systems on the network, whether they are running Windows, Linux, MacOS or NetBIOS. In effect, this scenario means that a single, infected Windows machine can completely own a network, even if all of the other machines on this network are fully patched and protected!

We expect to see an outbreak of 5th generation cyberattacks based on this published exploit. At least that was the pattern after the  EternalBlue exploit was leaked by “The Shadow Brokers” in April 14, 2017, which led to the spread of the devastating WannaCry and NotPetya attacks in May and June 2017, two of the most devastating cyberattacks in history.

Check Point’s BlueKeep protections for network and endpoint are based on the IPS and endpoint security products released several months ago. These products are designed to protect organizations against the BlueKeep vulnerability and new weaponized versions of this attack.

Watch a video demo of how the weaponized Bluekeep code works and how it is blocked by SandBlast Agent, Check Point’s endpoint security solution.

In short, Check Point customers who have implemented these protections remain protected.

We recommend all customers to take immediate action to make sure they are protected:

  • Install the Microsoft patch on all vulnerable Windows systems
  • Enable Check Point’s IPS network protection for BlueKeep. Those will keep all your in-perimeter machines fully protected.
  • Implement Check Point’s SandBlast Agent endpoint security protection for BlueKeep. This will make sure that any off-perimeter machines are also protected.
    • SandBlast Agent was the first endpoint security solution to protect against BlueKeep and remained so for over 4 month!
    • SandBlast Agent can even detect BlueKeep based scans/attacks if the machine is patched and alert on it!



Share this post

Link to post
Share on other sites

Lol sounds like checkpoint software ad  to me


That's not what Microsoft says do at all.  🤣


Protect against BlueKeep

This summer, the DART team has been preparing for CVE-2019-0708, colloquially known as BlueKeep, and has some advice on how you can protect your network. The BlueKeep vulnerability is “wormable,” meaning it creates the risk of a large-scale outbreak due to its ability to replicate and propagate, similar to Conficker and WannaCry. Conficker has been widely estimated to have impacted 10- to 12-million computer systems worldwide. WannaCry was responsible for approximately $300 million in damages at just one global enterprise.


To protect against BlueKeep, we strongly recommend you apply the Windows Update, which includes a patch for the vulnerability. If you use Remote Desktop in your environment, it’s very important to apply all the updates. If you have Remote Desktop Protocol (RDP) listening on the internet, we also strongly encourage you to move the RDP listener behind some type of second factor authentication, such as VPN, SSL Tunnel, or RDP gateway.

You also want to enable Network Level Authentication (NLA), which is a mitigation to prevent un-authenticated access to the RDP tunnel. NLA forces users to authenticate before connecting to remote systems, which dramatically decreases the chance of success for RDP-based worms. The DART team highly recommends you enable NLA regardless of this patch, as it mitigates a whole slew of other attacks against RDP.

If you’re already aware of the BlueKeep remediation methods, but are thinking about testing it before going live, we recommend that you deploy the patch. It’s important to note that the exploit code is now publicly and widely available to everyone, including malicious actors. By exploiting a vulnerable RDP system, attackers will also have access to all user credentials used on the RDP system.

Why the urgency?

Via open source telemetry, we see more than 400,000 endpoints lacking any form of network level authentication, which puts each of these systems potentially at risk from a worm-based weaponization of the BlueKeep vulnerability.

The timeline between patch release and the appearance of a worm outbreak is difficult to predict and varies from case to case. As always, the DART team is ready for the worst-case scenario. We also want to help our customers be prepared, so we’re sharing a few previous worms and the timeline from patch to attack. Hopefully, this will encourage everyone to patch immediately.



Learn more

To learn more about DART, our engagements, and how they are delivered by experienced cybersecurity professionals who devote 100 percent of their time to providing cybersecurity solutions to customers worldwide, please contact your account executive. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.


This document is for informational purposes only and Microsoft makes no warranties, express or implied, in this blog.

Source: https://www.microsoft.com/security/blog/2019/08/08/protect-against-bluekeep/


This info only apply to

The Australian Cyber Security Centre is aware of widespread abuse of a security vulnerability (called BlueKeep) that affects older versions of Windows operating systems including Windows Vista, Windows 7, Windows XP, Server 2003 and Server 2008. If you are using older versions of Windows systems, and do not want to update to Windows v10,


There other options as well  there's Windows 8.1 , MAC OS and Linux  that not effected by this as well.  It makes you wonder if Microsoft didn't make this virus to get people off of Windows XP  and Windows 7 . No wonder Windows 7 lost so much marketshare .:tooth:

The one Windows 8.1  and Windows 10 users need to be looking out for is DejaBlue.




Witch was patched in August  there 2 worms out there  Also they were more patched Tueday witch are social engineered Windows Remote Desktop Protocol attacks


An attacker would need to convince someone to connect to their malicious RDP server or otherwise intercept (MITM) the traffic. It's good to see these issues patched, but they don't carry the urgency of the recent wormable bugs.


Edited by steven36

Share this post

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.

  • Create New...