Keeping up with BlueKeep (CVE-2019-0708) Vulnerability

Bluekeep is an exploit not unheard of. But, it is only in the recent times that an active exploitation of BlueKeep vulnerability has hit the headlines. Tracked as CVE-2019-0708, BlueKeep is a critical wormable remote code execution flaw in Remote Desktop Services patched by Microsoft in May 2019 Patch Tuesday Updates. Over 724,000 systems worldwide could be still unpatched and exposed for attack.

A security researcher named Kevin Beaumont built a worldwide honeypot network named BluePot using Azure Sentinel with Microsoft Sysmon. Although no signs of attack were observed initially, late October saw a steep increase in the crashing and rebooting of honeypots. An analysis of the crashdump from one of the honeypots in Germany was carried out by KryptosLogic. They analyzed the pool allocations with the pool tag TSic, used by IcaAllocateChannel in the Windows RDP driver termdd.sys. The presence of thousands of allocations of size ‘0x170’ with TSic tag suggested an abnormal behavior.

Looking back at the BlueKeep exploit, an allocation of the exact size ‘0x170’ is required to fill a memory hole in the freed channel structure MS_T120 with a dangling pointer. Thousands of allocations also suggest the usage of heap spraying technique for exploitation. To gain Remote Code Execution, an attacker must hijack a pointer at offset 0x100 in the channel structure. This pointer indirectly links to a function which leads to the shellcode. The pointer dereferences the address fffffa80`08807048 which leads to the exploit payload. The researchers were able to match these parameters with the recent attack sample, indicating a Bluekeep exploit. The attackers had used the same shellcode with the user mode egg from the BlueKeep Metasploit module.

The payload was an encoded PowerShell command which can be used to download another PowerShell command from the attacker’s server. The last stage included the execution of a malicious binary which is connected to a cryptocurrency miner.

Microsoft did its part by working closely with the researchers to investigate the RDP exploits. Microsoft points out that the customers of Microsoft Defender ATP were protected from early September well before the deployed honeypots were attacked. A number of critical signals were collected using the behavioral detection for the BlueKeep Metasploit module in Microsoft Defender ATP. A close examination of the C2 servers and behavioral aspects of recent attacks indicated a connection of the BlueKeep exploitation with an ongoing coin mining campaign. Countries like France, Russia, Italy, Spain, Ukraine, Germany, the United Kingdom, etc have been infected with the same coin miner payload.

fig.BlueKeep exploitation techniques
Image Credit:

According to Microsoft, the attacks could have started off as a port scan for machines with vulnerable RDP services. The next step was to run a PowerShell script using the BlueKeep Metasploit module to download and launch other encoded PowerShell scripts. Apart from retrieving the coin miner payload, the final scripts also create scheduled tasks to achieve persistence on the infected machines. The coin miner is finally saved as ‘C:\Windows\System32\spool\svchost.exe’ on the target.

There have been no reports of attacks involving malware or ransomware’s abusing BlueKeep. However, it is very likely that the attackers will sooner or later incorporate BlueKeep exploits in their modules only to leave behind devastating consequences.

Affected Products

Remote Desktop Services on :

  • Windows 7
  • Windows Server 2008
  • Windows Server 2008 R2
  • Windows Server 2003
  • Windows Vista
  • Windows XP


An unauthenticated attacker who connects to the target system using RDP and sends specially crafted requests can execute arbitrary code on the system


Microsoft has released a patch for this vulnerability (CVE-2019-0708) in May 2019 Patch Tuesday Updates. It is strongly recommended to apply the patches for CVE-2019-0708 on all internet facing systems with RDP without any further delay.

SecPod Saner detects this vulnerability and automatically fixes it by applying security updates. Download Saner now and keep your systems updated and secure.

Subscribe For More Posts Like This

Get the latest research, best practices, industry trends and cybersecurity blogs from SecPod security experts

Invalid email address
We promise not to spam you. You can unsubscribe at any time.
0 0 votes
Article Rating
Notify of
Inline Feedbacks
View all comments