Sophos Labs joins the growing list of organizations that have developed a BlueKeep proof of concept in recent weeks. Details are being held back to give enterprise defenders time to update vulnerable Windows systems before a potential attack, but it may just be a matter of time before the flaw gets exploited in an active attack or a public exploit becomes available.
Microsoft fixed the remote code execution vulnerability in the Remote Desktop Services components in older versions of Windows back in May. The vulnerability, which researchers have dubbed “BlueKeep” (CVE-2019-0708), affects older versions such as XP, Vista, Windows 7, and both 32-bit and 64-bit versions of Windows Server 2008, allows an unauthenticated user to access the system via RDP and issue commands to install software, view and modify data, and creating new user accounts. Microsoft released updates for legacy Windows versions over concerns that a worm could potentially exploit the flaw and spread quickly across different networks.
The fact that Microsoft held back some details about the vulnerability bought enterprise defenders some time since it would be harder for malware developers to figure out how to create a working exploit. While several researchers have developed their own working proofs-of-concept, they, too, have refrained from publishing the exploits or discussing the specifics of what they did.
This level of reticence is unusual, and underscores how concerned security professionals are about the possibility of a repeat of WannaCry—where a worm exploited a known Windows vulnerability and crippled organizations around the world within hours. With data showing that attackers target vulnerabilities that have exploit code publicly available, it makes sense that holding back on making the details public would delay the attacks enough to get more systems patched.
State of Research
Each proof-of-concept thus far illustrated that this vulnerability could be used to cause a lot of damage. There is public code capable of crashing Windows and triggering a “blue screen of death” error, but researchers have shown different ways this vulnerability could be exploited.
Sophos released a video showing an exploit developed by SophosLabs’ Offensive Research team, which “works in a completely fileless fashion, providing full control of a remote system without having to deploy any malware” and does not require an active session on the target. The video shows a script attempt to start an RDP session to the target Windows 7 virtual machine and trigger the vulnerability to establish a connection to an elevated command shell (with SYSTEM-level privileges). The video then shows the researcher invoking that command shell and gaining full control over the machine without needing valid credentials.
“We hope this video convinces individuals and organizations who still haven’t patched that the BlueKeep vulnerability is a serious threat,” said Andrew Brandt, principal researcher at Sophos. The analysts in the Offensive Research group characterized the vulnerability’s difficulty level as “intermediate” and "within reach of adversaries who have more time than money," Brandt said.
RiskSense senior security researcher Sean Dillon (zerosum0x0) created a private Metasploit module where he combined BlueKeep with Mimikatz. A potential attacker using the module would receive elevated System privileges and access to all the passwords for other machines on the same network. Someone else going by the name Straight Blast on Twitter claimed to have successful exploit against Windows 7.
The Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) said it had successfully tested what may be the first remote code execution exploit for BlueKeep against a Windows 2000 machine.
"CISA has coordinated with external stakeholders and determined that Windows 2000 is vulnerable to BlueKeep," CISA said.
The prevailing assumption among security professionals seems to be that it is a matter of time before a public exploit is available. The code could come from a researcher who made the details public or from an active attack campaign targeting the flaw. The sheer amount of discussion among researchers (and quite likely, the attackers, too) makes the likelihood of a public exploit being developed more likely, said Jonathan Cran, head of research at Kenna Security. While there is a chance nothing happens because chatter is just noise, it is still worth paying attention to.
“Chatter is a great leading indicator of what will happen,” Cran said.
It is possible an exploit is already making the rounds within the attacker community, and the attack just hasn’t been detected yet. Just because there hasn’t been signs of one yet doesn’t mean it doesn’t already exist. They could be waiting for the right time. Maybe an exploit will never appear—but hoping for that outcome isn't a winning strategy.
“Microsoft is confident that an exploit exists for this vulnerability,” Pope wrote in one of his advisories.
Even if an exploit never comes to light, some vulnerabilities should be patched regardless of the availability of public code, and BlueKeep is one of them, Cran said. The fact that the flaw can be exploited without user interaction, offers remote code execution, and is in a commonly deployed protocol puts BlueKeep in that bucket. Remote Desktop is enabled by default, which means there’s a “large attacker opportunity,” Cran said.
“It is possible that we won’t see this vulnerability incorporated into malware,” Microsoft’s Pope said. “But that’s not the way to bet.”
After the patch was released in May, Microsoft issued a security advisory in late May and another reminder-warning in June to apply the update as soon as possible because attackers could cause a lot of damage with this vulnerability.
“It only takes one vulnerable computer connected to the internet to provide a potential gateway into these corporate networks, where advanced malware could spread, infecting computers across the enterprise,” MSRC wrote.
Even the NSA raised the alarm. “It is likely only a matter of time before remote exploitation code is widely available for this vulnerability,” the NSA warned in its advisory.
The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) also released a warning. "A BlueKeep exploit would be capable of rapidly spreading in a fashion similar to the WannaCry malware attacks of 2017," CISA said in its alert.
Despite the repeated warnings, the speed the vulnerable systems are being updated remains pretty slow. Shortly after the vulnerability was made public, Errata Security's Robert Graham created a BlueKeep scanning tool and found “roughly 950,000 machines” that were vulnerable on the public Internet. When Graham re-ran the tool 48 hours later upon Wired's request, he found that just a thousand machines had been patched. "If that very roughly estimated rate were to continue...it would take 10 years for all the remaining vulnerable machines to be patched," Wired reported at the time.
Six weeks after Graham's initial Internet scan, approximately 805,665 systems online are vulnerable to BlueKeep, according to the latest figures from BitSight, a risk management company. That's about 17 percent decrease from late May. While a "simplistic average" would be an average decrease of 5,224 exposed vulnerable exposed systems per day, BitSight said it was more likely that "at minimum an average of 854 vulnerable systems per day are patched."
BitSight said legal, nonprofit, and aerospace/defense organizations have been the most responsive in reducing their exposure. Conversely, utilities and technology organizations have low rates of remediation. The number of vulnerable systems in technology organizations have gone down by 11.7 percent, and utilities only 9.5 percent. The legal industry is the "least exposed," followed by insurance and finance, while telecommunicatoins, education, technology, utilities, and government are among the most exposed.
Residential networks are included under telecommunications, which explains why that sector has such a big exposure window.
Some of the machines not coming up in the scanning doesn't necessarily mean they were patched, or network-level authentication (NLA) was enabled to prevent unauthorized access via RDP. It could just be that the IP address may have changed.
One way to look at the number of vulnerable systems is that organizations aren't listening to the warnings. The other way is to realize that security teams may still be testing the updates, and are on track to deploy them soon. Most organizations tend to take about 90 days to apply the updates, so it may be that the number will drop significantly after the 90-day mark, which would be in August.
"I don't think we breathe a sigh of relief until we're at (at least) 50 percent patched, which on average takes 90 days in large organizations," Cran said. "My hope is that all the chatter and awareness helps speed that number in a significant way.
These estimates tell only part of the story, as the scanning tool can only see systems that are externally exposed to the Internet. Systems inside the network, behind the firewall, would not be visible to the scanner, but would be still vulnerable if the exploit somehow lands in the network. It is quite possible the number of potentially exploitable machines are much, much, higher.
When trying to prioritize patching, organizations should think about likelihood of impact. BlueKeep being expoited is highly likely, with a "potentially massive impact," Crain said. The impact is so high that even if the flaw had a lower likelihood of being exploited, it should still score highly on the risk calculus on where to apply effort.
“Don't panic, and keep patching based on risk,” Cran said.
Edited: Updated with newer figures as of July 2, from BitSight