Fresh BlueKeep Warning Issued by Microsoft: Public Exploits Exist and Attacks Imminent

Microsoft has issued a fresh warning about the recently discovered BlueKeep vulnerability in Remote Desktop Services (CVE-2019-0708) following the online publication of proof-of-concept exploits for the flaw.

Microsoft released fixes for the flaw on May 14, 2019. As was the case with the vulnerability that was exploited in the WannaCry ransomware attacks in 2017, patches were also released for unsupported Windows versions.

The vulnerability is critical and could be exploited remotely via Remote Desktop Protocol (RDP) without any user interaction required. As one security researcher has shown, finding devices that have not been patched is far from difficult. Robert Graham of Errata Security performed a scan of the internet and found almost 1 million devices that have still not had the patch applied or protected using Microsoft’s recommended mitigations. Graham is not the only person to have performed scans for vulnerable devices. There has been a major increase in scans in recent days. It appears that cybercriminals are preparing for attacks.

The fresh warning is an unusual step for Microsoft to take. It has satisfied its obligations through the release of patches and has even issued patches for unsupported Windows versions. The decision to release a further warning was due to the growing risk of exploitation of the vulnerability. Several security firms claim to have developed exploits for the flaw and proof-of-concept exploit code has now been leaked online. Microsoft is confident that viable exploits exist for the vulnerability.

Several people have posted fake POC code for the vulnerability online, although security researcher Chase Dardaman tested one public DOS POC for BlueKeep which he confirmed to be genuine.

“It’s been only two weeks since the fix was released and there has been no sign of a worm yet. This does not mean that we’re out of the woods,” said Simon Pope, Director of Incident Response, Microsoft Security Response Center (MSRC) in a recent TechNet blog post. “If we look at the events leading up to the start of the WannaCry attacks, they serve to inform the risks of not applying fixes for this vulnerability in a timely manner.”

It took just two months from the MS17-010 patch being released before the global WannaCry ransomware attacks were conducted using the EternalBlue exploit. Yet even with major attacks occurring, many organizations still failed to take action. Now two years on, WannaCry ransomware attacks are still occurring and patches still are not being applied. One report last week indicated 40% of healthcare organizations have been attacked with WannaCry in the past 6 months and the attacks show no sign of stopping.

The latest flaw does not affect Windows 8 and Windows 10, but older Windows versions – Windows XP, Windows 7, Windows 2003 and Windows Server 2008 – are vulnerable. Many businesses have upgraded to Windows 10, but legacy Windows operating systems are still extensively used in healthcare, at least on some devices.

The advice from Microsoft has not changed. “We strongly advise that all affected systems should be updated as soon as possible,” said Pope. “It only takes one vulnerable computer connected to the internet to provide a potential gateway into these corporate networks, where advanced malware could spread, infecting computers across the enterprise.”

The NSA has also issued an alert via its Central Security Service division in an attempt to prevent another global malware attack like WannaCry, which used the NSA-developed EternalBlue exploit.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.