Revisiting an old post I made earlier, throughout my career I have seen environments where Remote Desktop Protocol was allowed directly from the internet, other instances where the port for RDP was changed from 3389 to another random port and lastly where it was not accessible from the internet.
Now we are seeing exploit code for sale by a security company that targets Windows XP through Windows Server 2008.
Leveraging a jump host is always a good start. Writing a white list segmentation rule that says only allow inbound 3389 from one or two workloads inside the data center (a jump host). This reduces a substantial amount of attack surface for RDP for the Windows environment. The second method is applying user based segmentation where a security architect can control which users based on their Active Directory group membership can have access to the jump host. This reduces the possibility of an RDP attack to almost nothing. Applying these two practices will dramatically reduce the exploitation of RDP and can also prevent ransomware where the infection point would have been via RDP.
A US cyber-security company is selling a weaponized BlueKeep exploit as part of a penetration testing utility. BlueKeep, also known as CVE-2019-0708, is a vulnerability in the Remote Desktop Protocol (RDP) service included in older versions of the Windows operating system.