Microsoft warned of the dangers of the BlueKeep vulnerability last year in August 2019. Seqrite also did a detailed breakdown of the exploit in an article last year where we advised users to patch their systems immediately.
To recap, the CVE-2019-0708 vulnerability, also known as BlueKeep, it affects networks with Remote Desktop Protocol (RDP) functionality and enables attackers to compromise vulnerable systems without user interaction. As a wormable exploit, it can easily spread to other vulnerable systems, similar to WannaCry. Since the exploit code is public, it can be easily used by script kiddies with sources even suggesting that attackers were dropping Monero cryptocurrency miners on vulnerable systems by exploiting the fact that they were unpatched.
Regular warnings to patch systems
Despite the release of timely patches, the danger has not been averted just yet. Just a few days later, Microsoft released another patch, warning about four BlueKeep-like exploits in the wild. They work in a similar way to BlueKeep, exploiting RDP to execute malicious code on affected systems. However, the difference between BlueKeep and the later exploits was that while BlueKeep affected older versions of Windows like XP and Vista, the four new exploits affected all versions of Windows 10 as well.
For configurations using RDP on Windows, it is important to patch these systems as soon as possible because BlueKeep and its related exploits will see an increase in proliferation. We have already seen the kind of danger that unpatched systems can pose, as evidenced by WannaCry. The Metasploit BlueKeep exploit module was also released in the public realm in September 2019.
The first-ever malware campaign using BlueKeep
Later, in November 2019, Microsoft released another warning after the discovery of the first-ever malware campaign that weaponized this vulnerability by breaking into unpatched systems and installing a cryptocurrency miner. On a positive note, this malware campaign was not as malicious as had been previously anticipated – the attacks did not happen through wormable malware and in many cases, the exploit failed to work.
However, that is no reason to lower an enterprise’s security preparedness. “While there have been no other verified attacks involving ransomware or other types of malware as of this writing, the BlueKeep exploit will likely be used to deliver payloads more impactful and damaging than coin miners.” Microsoft issued this warning in their advisory.
Enterprises should pay heed to this warning and ensure they keep their networks, especially with RDP functionality, updated and download the latest patches as soon as they are released. As a wormable exploit which is available in the public realm, BlueKeep represents a dangerous new weapon in the hands of malicious actors. The fact that it has not been used in a large-scale attack till now should not imply to its lack of effectiveness. The other perspective to this is that since this specific type of attack has become well-known, attackers could well tweak certain aspects of the exploit to make it non-detectable while ensuring it stays wormable, thus capitalizing on an enterprise’s false sense of security.
Any complacency should be tempered by remembrance of the WannaCry attack which left chaos and destruction in its wake. Enterprises should continue staying cognizant of BlueKeep-like wormable exploits and continue working hard to ensure early detection and prevention.