BlueKeep Vulnerability Being Actively Exploited in Real World Attacks

In May 2019, Microsoft made an announcement about a critical remote code execution vulnerability in Windows Remote Desktop Services named BlueKeep – CVE-2019-0708. The cybersecurity community predicted that a weaponized exploit would be developed and be used in large-scale attacks. That prediction has now come true. Over the weekend, the first mass attacks using a BlueKeep exploit were discovered.

Soon after Microsoft announced the vulnerability, several security researchers developed proof-of-concept exploits for BlueKeep. One such exploit allowed a researcher to remotely take control of a vulnerable computer in just 22 seconds. The researchers held off publishing their PoC’s due to the seriousness of the threat and the number of devices that were vulnerable to attack. Initially, millions of internet-connected devices were at risk, including around a million Internet of Things (IoT) devices.

The BlueKeep vulnerability can be exploited remotely by sending a specially crafted RDP request. No user interaction is required to exploit the vulnerability. The flaw is also wormable, which means it is possible to use self-propagating malware to spread from vulnerable computer to another on the same network.

Microsoft issued multiple warnings about the vulnerability, which affects older Windows versions such as Windows 7, Windows XP, Windows Server 2003 and Windows Server 2008. Businesses and consumers were urged to apply the patch as soon as possible to prevent the vulnerability from being exploited. Warnings were also issued by the NSA, GCHQ, and other government agencies around the world. The cybersecurity community has also been warning businesses and consumers about the risk of attack, with many believing a weaponized exploit would be developed in a matter of weeks.

Even after multiple warnings had been issued, patching was slow. The patch was released 5 months ago there are still around 724,000 devices that have yet to have the patch applied. The total number of vulnerable devices will be considerably higher as scans do not include devices behind firewalls.

Following the disclosure of the vulnerability, security researcher Kevin Beaumont set up a global network of Remote Desktop Protocol (RDP) honeypots that were designed to be attacked. Weeks and months passed with no attempts made to exploit the vulnerabilities. Then on November 2, 2019 Beaumont discovered the honeypots had been attacked. First, one honeypot was attacked which caused the system to crash and reboot, followed by all the others aside from the Australian honeypot. While the attack was detected this weekend, the campaign has actually been ongoing for at least two weeks. The first attack occurred on October 23, 2019.

The crash dumps from the attacks were analyzed by security researcher Marcus Hutchins, aka MalwareTech. Hutchins was the person responsible for finding and activating a kill switch to block the WannaCry ransomware attacks in May 2017. Hutchins found artifacts in the memory indicating the BlueKeep vulnerability had been used to attack the honeypots and shellcode indicating the vulnerability was exploited to deliver a cryptocurrency miner, most likely for Monero.

Fortunately, the hackers exploiting the vulnerability appear to be unsophisticated, low-level threat actors who have not exploited the full potential of the vulnerability. The attackers have not developed a self-replicating worm and are only using the vulnerability to spread cryptocurrency mining malware on vulnerable devices with an internet-exposed RDP port. The attackers appeared to have conducted a scan for vulnerable devices and a list of IPs is being used for the attacks. The attacker(s) appears to be using a BlueKeep exploit that was published on the Metasploit framework in September.

The honeypot system and the failure to exploit the vulnerability on all 11 honeypots indicates the exploit is not working quite as planned and has not been modified to get it to work properly. However, this is a large-scale attack and at least some of the attacks have succeeded.

This is not the first time the BlueKeep vulnerability has been exploited by threat actors, as smaller more targeted attacks have been conducted and have succeeded, but it is the first mass-exploitation of BlueKeep.

Other threat actors may well discover how to unleash the full potential of the vulnerability and create a self-propagating worm. That would potentially enable all unpatched devices to be attacked, even those on internal networks. Those attacks may do more than slow down computers while cryptocurrency is mined. Wiper attacks similar to NotPetya could also potentially be conducted. The attack on the shipping firm Maersk cost around $300 million.

Preventing these attacks is simple and the advice remains the same as in May 2019 when BlueKeep was first announced. Apply Microsoft’s patch on all vulnerable computers as soon as possible.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.