CVE-2019-0708 vulnerability impact analysis and the use of a variety of rules to detect method-vulnerability warning-the black bar safety net

Recently, with the CVE-2019-0708 vulnerability of the publication, most of the security community will be the loopholes as the highest priority to addressing the vulnerability. Mentioned bug fixes, it is difficult not to associate this front WannaCry and NotPetya disastrous consequences. And according to the previous experience, we know very well, the user often does not immediately fix the vulnerability, but requires a relatively long period of time. Therefore, for this high-risk vulnerabilities, we need to quickly develop the vulnerability detection rules.
About CVE-2019-0708 vulnerability, there is a more critical but very important details of the vulnerability with the Remote Desktop Services Remote Desktop Services is about, which is on Windows by the Microsoft implementation of the Remote Desktop Protocol RDP to. The RDP Protocol itself is not a problem, I have to mention this, in order to avoid the recurrence of like WannaCry during the outbreak we see those hype.
“BlueKeep”label initially by Kevin Beaumount use. The reason why I choose this label, there are two reasons: in order to obtain the reference information, at the same time be able to on Twitter to find relevant posts, we can’t simply use CVE as a label unless you remove the dash on. BlueKeep this tag just makes tweeting easier.
! [](/Article/UploadPic/2019-5/201952513833498. png)
Vulnerability impact analysis
To establish detection theory, we must consider two threat models, namely:
1. Worm threat, similar to the WannaCry scene.
2. APT attacker, the vulnerability as a more complex attack part, like the Eternal Blue EternalBlue and the SMB Protocol is only NotPetya catastrophic attack.
In order to identify the presence of risk assets, we will refer to by the Dragon provided the following table:
! [](/Article/UploadPic/2019-5/201952513833958. png)
CVE-2019-0708 can be used similar to WannaCry the large-scale initial visit? We quickly see the Shodan data, found on the network the presence of a large number of hosts, exposing 3389 port, and may run a vulnerable version of Windows.

Search the contents of the URL as follows:
· https://www.shodan.io/search?query=port%3A3389+os%3A"Windows+7+or+8"
· https://www.shodan.io/search?query=port%3A3389+2003
· https://www.shodan.io/search?query=port%3A3389+2008
· https://www.shodan.io/search?query=port%3A3389+os%3A"Windows+XP"
Overall, we can look for on the Internet expose RDP of 238. 5 million hosts, but it is not possible to verify this conclusion accuracy.
! [](/Article/UploadPic/2019-5/201952513839135. png)
Search the contents of the URL as follows: https://www.shodan.io/search?query=Remote+Desktop+Protocol
Cited 2017 4 May 23, Dan Tentler’s tweets,“not all hosts are Windows, and not all of these ports are SMB”in. We will this sentence into today like can be used,“not all of which 230 million hosts are Windows, and not all of these ports are vulnerable to CVE-2019-0708 affect of Service”. If we apply the CVE-2019-0708 with WannaCry timeline comparison, we are now in MS-17010 has been released of the stage, but the Eternal Blue EternalBlue have not yet appeared, and therefore we are unable to scan to the next DoublePulsar it. Until such a PoC, we also cannot completely determine things direction of development. However, even if the threat arrives before WannaCry stage, we may also also will have 30 days to implement the defense, of course, this time might be less.
! [](/Article/UploadPic/2019-5/201952513840966. png)
Although we can discuss these audits to The whether the host can be an attacker of real use, and can analyze these host patch status, network segments, etc., but it is known that many companies are still running vulnerable versions of Windows, and the repair cycle for these systems may be more difficult. According to WannaCry of the data, we see that there are about 2. 4 million units more than the potential available hosts with 14 million units more than the suspected influence of the host, DoublePulsar before the event 3 weeks to be posted to the Internet.
At this stage, the greater the risk is within the organization using CVE-2019-0708 to the rapid fall of the host and lateral movement. And, since the exploit PoC in writing of the time has not yet appeared online as there are many fake, so we will use at our disposal all the tools to build the exploit before the detection.
Considering the above circumstances, as a defense, we can do three things:
1. The deployment of active detection mode;
2. Strictly required to fix the vulnerability or mitigate vulnerability risks;
3. Reference to trusted researchers opinion, the tracking of the risk of the subsequent development.
In order to specifically explain this, I quote here Florian Roth’s tweets:
! [](/Article/UploadPic/2019-5/201952513840151. png)
Spot fire: Sigma rules
The first rule, we referred to as Sigma #1, by Sigma GitHub Repo Markus the Neis provided, the rules for lateral movement of the technology T12010/remote service exploit https://attack.mitre.org/techniques/T1210/: the
! [](/Article/UploadPic/2019-5/201952513841296. png)
Within an hour, similar to the rules of Sigma #2 by Roman Ranskyi in SOC Prime TDM on release, and provided to the community free use, the detection logic has been extended to the T1036/Masquerading https://attack.mitre.org/techniques/T1036/ and T1046/Web Services scanning https://attack.mitre.org/techniques/T1046/ the.
Basically, we’ve got a TLP:WHITE and TLP:GREEN, and the catch in the loophole use before. However, this is enough to fully discover the aggressive behavior?
Further: machine learning
Next, we explore machine learning how can provide us with some of the testing aspects of the advantages, but also to consider how Elastic the stack to create the solution.
Theory:
In a defined time window, a host initiates a large number of RDP connections, and wherein the single target IP address too, can prove the suspect using the RDP Protocol as the propagation, worms of lateral movement and propagation. In the process, may be used with CVE-2019-0708 vulnerability related to the RDS vulnerability.

[1] [2] [3] next