Considering the frenzy of speculation and flurry of activity around the BlueKeep vulnerability, it was only a matter of time before an exploit became available. Now that a commercial company is selling a working BlueKeep exploit, it’s no longer if criminals would figure out how to exploit the vulnerability, but when they will launch such an attack.
IT security managers should be putting together a BlueKeep plan and executing it. That may be applying the update Microsoft released for older versions of Windows ranging from Windows 2000 to Windows Server 2008 and Windows 7. That may be turning off Remote Desktop on unpatched systems that don’t need the protocol, or setting up NLA to make the machine not reachable via RDP. Or even segmenting the network so that critical systems are separated from the vulnerable systems. The point is to have some kind of a plan, especially if updating all vulnerable systems isn’t possible for whatever reason.
When Microsoft released the update for BlueKeep on May 14, the company described the flaw as a “wormable” vulnerability that could self-propagate in a way similar to how EternalBlue was exploited in the WannaCry ransomware outbreak. The vulnerability is considered so dangerous--the BlueKeep RDP protocol vulnerability (CVE-2019-0708) could allow an attacker to remotely execute code on a vulnerable Windows system--that various government agencies such as the United States National Security Agency and Department of Homeland Security, Germany’s BSI cyber-security agency, and the United Kingdom’s National Cyber Security Centre released security alerts urging organizations and individual users to path older Windows machines. Security researchers followed Microsoft’s lead in not providing details of the vulnerability or releasing proofs-of-concepts in order to give defenders the time to patch before the attackers figure out how to weaponize the flaw.
That grace period is over, as security company Immunity has announced that the latest version of its CANVAS penetration testing toolkit included a fully-working BlueKeep exploit. The BlueKeep exploits previously uploaded on GitHub could cause remote Windows systems to crash; the BlueKeep exploit in Immunity’s CANVAS 7.23 can achieve remote code execution, as it opens a shell on infected machines. Immunity said companies can use CANVAS to test their infrastructure to see if they are adequately secured against a potential BlueKeep attack.
One of the things that was reassuring about the prospect of a BlueKeep worm was the fact that exploiting the flaw could require significant technical expertise. With the first exploit now released, it may not be long before a version of the exploit falls into criminal hands. CANVAS licenses aren’t cheap, costing thousands to tens of thousands of dollars, so it’s not as if the exploit is going to pop up in every crimeware kit or used in garden-variety attacks. However, that doesn’t mean a well-funded group can’t legitimately buy penetration testing tools, or that once someone does, that the tool won’t get pirated or leaked to other attack groups.
Have a BlueKeep plan
It’s been a busy week for BlueKeep watchers. On the same day that Immunity announced the penetration testing tool, someone posted a slide deck with details about BlueKeep on GitHub. The deck explained how to turn the proof-of-concept which exploits BlueKeep to crash the Windows machine into one that can lead to remote code exection.
It basically gives a how-to guide for people to make their own RCE," independent researcher Marcus Hutchins told Ars Technica. "It's a pretty big deal given that now there is almost no bar to stop people publishing exploit code.
Earlier, a researcher using the handle 0xeb_bp posted an in-depth analysis of the flaw and incomplete proof-of-concept Python code targeting Windows XP to GitHub. The write-up provides information on how to do a pool spray, the most difficult part of the exploit and the part that hasn’t been previously disclosed. There is a a walk-through and a video of it all working.
Between the slides, the write-up, and the already-available in-depth analysis by the Zero Day Initiative all the difficult parts of getting a working exploit are public.
Crypto-currency mining botnet WatchBog incorporated a scanner to look for systems vulnerable to BlueKeep, researchers from Intezer wrote. WatchBog previously targeted only Linux systems, but new implants have been added for other platforms. Researchers believe WatchBog is using a Python port of a publicly-available scanner and using a list of IP addresses provided by the command servers. Researchers found IP addresses belonging to Vodafone Australia and Tencent Computer Systems in the list of IP addresses WatchBog is using.
At the moment, the botnet is just compiling lists of vulnerable systems. Perhaps the list of vulnerable BlueKeep Windows machiens would be used in a future attack, or perhaps it will show up in some criminal forum for sale.
"The incorporation of the BlueKeep scanner by a Linux botnet may indicate WatchBog is beginning to explore financial opportunities on a different platform," the researchers said.
Perhaps all this is hype. Perhaps no BlueKeep worm will rampage through global networks. Perhaps enough systems have been patched so everything will be okay. That is a lot of perhaps for enterprise IT security teams to swallow right now.