[2019.11.05] Bluekeep 취약점(CVE-2019-0708) 이용한 공격 포착

요약

-   CVE-2019-0708 취약점 Metaexploit의 모듈 코드를 공격에 활용. 시스템 침투 후 모네로 코인 마이너를 설치함.

-   IoC 

Hash : 498106fe7fa5ece30dd8d7457cabdba6

(hxxps://www.virustotal.com/gui/file/8a87a1261603af4d976faa57e49ebdd8fd8317e9dd13bd36ff2599d1031f53ce/details

Network : 109.176.117.11 port 8000 (TCP) 

   5.100.251.106 port 52057 (TCP)   

- 공격자 IP Top 3 : 

193.27.73.223 (네덜란드)

217.23.5.20 (네덜란드)

157.245.82.38 (미국)

관련 CVE정보

-  CVE-2019-0708

탐지룰 존재유무

- TippingPoint 35285: RDP: Microsoft Remote Desktop Services Remote Code Execution Vulnerability

- McAfee  RDP: Microsoft Remote Desktop MS_T120 Channel Bind Attempt

- Symantec  31527 (OS Attack: Microsoft Windows Desktop Services RCE CVE-2019-0708)

                 31529 (OS Attack: Microsoft Windows Desktop Services RCE CVE-2019-0708 2)

- Cisco  4개rule (content-replace.rules <1:50186~50189> 

* 1:50186 <-> ENABLED <-> CONTENT-REPLACE Microsoft Windows require RDP client channel list prior to encryption (content-replace.rules)

* 1:50189 <-> ENABLED <-> CONTENT-REPLACE Microsoft Windows require RDP client channel list prior to encryption (content-replace.rules)

-

참고자료

출처 : hxxps://doublepulsar.com/bluekeep-exploitation-activity-seen-in-the-wild-bd6ee6e599a6

   hxxps://www.kryptoslogic.com/blog/2019/11/bluekeep-cve-2019-0708-exploitation-spotted-in-the-wild/?source=post_page-----bd6ee6e599a6----------------------

    hxxps://twitter.com/GossiTheDog/status/1191783623411806208