Microsoft Warning Against BlueKeep Exploit in Real World Attacks

In May 2019, Microsoft announced a critical remote code execution vulnerability in Windows Remote Desktop Services referred to as BlueKeep – CVE-2019-0708. The cybersecurity community expected the development of this weaponized exploit and use in large-scale attacks. The foremost wide-scale attacks utilizing a BlueKeep exploit were identified over the weekend.

Right after Microsoft mentioned about the vulnerability, a number of security researchers created proof-of-concept exploits intended for BlueKeep. One such attempt enabled a researcher to remotely control a vulnerable computer within 22 seconds. The researchers delayed publishing their PoC’s due to the severity of the threat and the number of devices that were vulnerable to attack. At first, a huge number of internet-connected devices were vulnerable, including about a million Internet of Things (IoT) devices.

The BlueKeep vulnerability may be exploited remotely through delivering a specifically designed RDP request. User interaction is not required to take advantage of the vulnerability. The flaw is additionally wormable, meaning it is possible to make use of self-propagating malware to propagate from vulnerable computer to another on a similar network.

Microsoft gave several notifications regarding the vulnerability, which impacts older Windows versions like Windows Server 2003 and Windows Server 2008, Windows 7 and Windows XP. Companies and users were advised to use the patch immediately to stop the exploitation of the vulnerability. The NSA, GCHQ, and other government agencies all over the world issued warnings. The cybersecurity community has also cautioned companies and consumers regarding the risk of attack, with countless people expecting the development of a weaponized exploit within weeks.

Even though the patch was released 5 months ago, patching was slow as about 724,000 devices have not applied the patch yet. There will be a considerably higher total number of vulnerable devices as scans do not include devices protected by firewalls.

Subsequent to the vulnerability report, security researcher Kevin Beaumont created an international network of Remote Desktop Protocol (RDP) honeypots that were fashioned to be attacked. After weeks and months, there was no initiative crafted to take advantage of the vulnerabilities. But on November 2, 2019, Beaumont noticed the exploit of the honeypots. The first honeypot attack on October 23, 2019 resulted in system crash and reboot, then there were other attacks besides the Australian honeypot. Though the attack was identified this weekend, the attack has, in fact, began around two weeks back.

Security researcher Marcus Hutchins, also known as MalwareTech reviewed the crash dumps coming from the attacks. Hutchins was the man who discovered and activated a kill switch to deter the May 2017 WannaCry ransomware attacks. Hutchins discovered artifacts in the memory showing the usage of the BlueKeep vulnerability to strike the honeypots and shellcode suggesting the exploitation of the flaw to send a cryptocurrency miner, undoubtedly for Monero.

The good thing is, the hackers were probably low-level skilled who haven’t exploited the full-blown potential of the vulnerability. They haven’t developed a self-replicating worm and used the vulnerability just to distribute cryptocurrency mining malware on unsecured devices having an internet-exposed RDP port. The attacker(s) probably utilized a BlueKeep exploit which was posted on the Metasploit framework last September.

Because of the honeypot system and the inability to take advantage of the vulnerability on all 11 honeypots, it’s probable that the exploit isn’t working as intended and hasn’t been changed for it to work appropriately. Nonetheless, this is a wide-scale attack and a number of attacks became successful.

The BlueKeep vulnerability had been taken advantage of in the past by threat actors in scaled-down more precise attacks successfully, but this is the first extensive-exploitation of BlueKeep.

When threat actors find out how to use the maximum potential of the BlueKeep vulnerability and make a self-propagating worm, almost all unpatched devices could be attacked, including those within internal networks. Those attacks won’t only slow down computers as they mine cryptocurrency. Wiper attacks comparable to NotPetya can also likely be executed. The shipping company Maersk spent around $300 million because of the attack.

Controlling these attacks is straightforward. Implement Microsoft’s patch on all susceptible computers immediately.