Reverse engineering of BlueKeep patch reveals how dangerous it is
Researchers develop a proof-of-concept attack after reverse engineering the Microsoft BlueKeep patch.
Microsoft’s security team believes that more destructive BlueKeep attacks are on the horizon and urges users and companies alike to apply patches if they’ve been lagging.
The company’s warning comes after security researchers detected the first-ever malware campaign that weaponized the BlueKeep vulnerability.
The attacks, which were detected last weekend, used BlueKeep to break into unpatched Windows systems and install a cryptocurrency miner.
Many security researchers considered the attacks underwhelming and not living up to the hype that was built around BlueKeep for the past six months.
This was because Microsoft said BlueKeep could be used to build wormable (self-spreading) malware. However, the attacks that happened over the weekend did not deploy malware that could spread on its own.
Instead, attackers scanned the internet for vulnerable systems and attacked each unpatched system, one at a time, deploying a BlueKeep exploit, and then the cryptocurrency miner.
This was far from the self-spreading malware outbreak that Microsoft said BlueKeep could trigger. Furthermore, in many cases, the BlueKeep exploit failed to work, crashing systems.
But Microsoft says this is just the beginning, and that attackers will eventually refine their attacks, and that the worst is yet to come.
“While there have been no other verified attacks involving ransomware or other types of malware as of this writing, the BlueKeep exploit will likely be used to deliver payloads more impactful and damaging than coin miners,” Microsoft said today. “We cannot discount enhancements that will likely result in more effective attacks.”
Now, Microsoft is warning and urging users to apply patches — for the third time this year.
“Customers are encouraged to identify and update vulnerable systems immediately,” the company said. “Many of these unpatched devices could be unmonitored RDP appliances placed by suppliers and other third-parties to occasionally manage customer systems. BlueKeep can be exploited without leaving obvious traces, customers should also thoroughly inspect systems that might already be infected or compromised.”
The BlueKeep lowdown
Because there’s been a flood of BlueKeep-related coverage this year, below is a summary of what you need to know. Just the essentials:
- BlueKeep is a nickname given to CVE-2019-0708, a vulnerability in the Microsoft RDP (Remote Desktop Protocol) service.
- BlueKeep impacts only: Windows 7, Windows Server 2008 R2, Windows Server 2008.
- Patches have been available since mid-May 2019. See official Microsoft advisory.
- On the same day it released patches, Microsoft published a blog post warning about BlueKeep being wormable.
- Microsoft issued a second warning about orgs needing to patch BlueKeep, two weeks later, at the end of May.
- The US National Security Agency, the US Department of Homeland Security, Germany’s BSI cyber-security agency, the Australian Cyber Security Centre, and the UK’s National Cyber Security Centre have all issued their own security alerts, trying to get companies to patch outdated computer fleets.
- Many security researchers and cyber-security firms developed fully-working BlueKeep exploits over the summer; however, nobody published the code after realizing how dangerous the exploit was, and fearing that it could be abused by malware authors.
- In July, a US company started selling a private BlueKeep exploit to its customers, so they could test if their systems were vulnerable.
- In September, the developers of the Metasploit penetration testing framework published the first public BlueKeep proof-of-concept exploit.
- In late October, malware authors started using this BlueKeep Metasploit module in a real-world campaign. Microsoft has an article about this malware campaign here.
- According to BinaryEdge, there are roughly 700,000 internet-connected Windows systems that are vulnerable to BlueKeep, and have yet to receive patches.