First things first, my name is DejaBlue and I’m an utterly evil Windows Vuln. I allow execution of remote code and my hacker buddies to pwn you, your systems and your data, lol.
I’m part of the BlueKeep family of badass vulns, and I came in to being around the 13th August 2019, but my exact birth date is bit of a mystery… I’m something of a sordid creation. I’m really similar to my siblings, we have a lot of the same interests, hanging out unknown in systems, facilitating cybercrime, nation state hacking, just the usual sibling stuff, y’know?
I really like people who use Microsoft Windows, specifically Windows 7 onwards. Whether you’re Windows 7 or 10, a server or a workstation, on an internal or external network – DejaBlue don’t care! I’ll be there, making you insecure. Sometimes, when I’m feeling especially sociable, I switch between operating systems, just to mess with you.
The first quality I look for in my new ‘victims’? How easy it is to access their Remote Desktop Protocol session (some people call it RDP, it’s all the same to me). It’s just a cool term for a protocol that allows a user to access the computer’s screen remotely.
I guess you could say I like to get to know people on a personal level. I do this by launching myself deep into my victims’ Windows resources. But still, the more people I get to meet, the better. People tend to call me wormable. Simply, I’m able to create copies of myself and spread myself onto other peoples’ computers – Don’t worry, there’s plenty of DejaBlue evilness to go around.
RDP allows the friendly counterpart, the server, to help their client to execute commands on behalf of them. So, say you have a problem with your computer and you don’t know who to turn to, I would (very happily) give you a hand by taking part in the RDP session between you and the server! I’m actually soooooo helpful, that I would like nothing more than to take full control of your whole system. The pre-authentication stage seems like a good place to meet, see you there?
Some of my favourite activities are referred to, in my
opinion, ridiculous, unpronounceable names. Here’s a list to mention a few: CVE-2019-1181, CVE-2019-1182, CVE-2019-1222, CVE-2019-1223, CVE-2019-1224, CVE-2019-1225, CVE-2019-1226.
Apparently, according to some
researchers, my hobbies are “high risk”. In actual fact, they refer to it as the CVSS rating,
calling them critical. Why not have a look and see if any of my activities
tickle your fancy? I’m always on the lookout for new victims to introduce
Some people are starting to enable Network Level Authentication (NLA) on their RDP… When you do that, you make it a lot more difficult for me to befriend you. Enabling NLA means that I can no longer access the usernames and passwords of those who are currently authenticated to your remote services. Essentially, you’re adding in another layer of security that I have to fight through. But, on the bright side, you can only use NLA if you are running Windows XP SP3 or later – every cloud has a silver lining.
I’ve noticed a decrease in the RDP services available – are you avoiding me by disabling them?! Disabling RDP services is the best defence against me. It’s also harder for me to find you when you change your RDP port to something else other than the default 3389. Remember to set your firewall to accept the newly configured RDP port.
Actually, Microsoft has released a patch in an attempt to block me out of your circles. I’m not even kidding. If you don’t believe me, have a look yourself. You can join my righteous disbelief by finding the patch here.
Anyway, I have a lot of work to do and I hope to catch you rather sooner than later!