BlueKeep, the Global Cyber Security Threat We Can Still Prevent
This blog post will continue to update as events around BlueKeep continue. The goal is to proactively reduce the impact of a vulnerability that could impact at a global scale.
Looking back at this time, it would be nice to say, “We avoided the next WannaCry!” instead of, “I wish we could have avoided WannaCry2…”
UPDATE July 24, 2019 – Chris Goettl
If you caught our webinar from May 22, 2019 regarding BlueKeep we had discussed what form the next ‘WannaCry’ may take. Turns out we may have been dead on. A BlueKeep scanner has been discovered in Watchdog Cryptomining Malware. Watchdog has not been used for more destructive purposes like Ransomware or damaging or capturing sensitive data. The article talks about some Q&A with the team behind Watchdog. Their purpose is to “make the internet a safer place” and apparently if they can make a buck at the expense of those who are not securing their environments to prove what companies need to do to secure their environments its all good.
UPDATE July 23, 2019 – Chris Goettl
Pent-testing vendor Immunity Inc announces the availability of a fully working PoC exploit of BlueKeep. It is not wormable, but any threat actor can create or get their hands on tools to spread malware in a variety of ways. Public facing systems exposed to BlueKeep have dropped down from over 1 million to around 805,000, but that is still a significantly high number of systems and behind each could be hundreds of thousands of other systems which would also be exposed.
UPDATE July 1, 2019 – Chris Goettl
Sophos releases a video showing the exploit they engineered to take advantage of BlueKeep. Still too many public facing systems exposed to this wormable exploit. Sophos’ demonstration shows how an attacker can remotely exploit BlueKeep without authentication and gain SYSTEM access to the affected system.
UPDATE June 4, 2019 – Chris Goettl
Microsoft doesn’t beg, but a second advisory “reminding” everyone to patch the BlueKeep vulnerability (CVE-2019-0708) is quite out of the ordinary. On May 30th, Simon Pope, Director of Incident Response, Microsoft Security Response Center, issued the reminder urging everyone to update their systems as soon as possible. He reiterated the fact that over 1 million internet connected systems are vulnerable to the BlueKeep vulnerability. He went on to state that it is possible we will not see this vulnerability exploited in the wild, but that’s not the way to bet.
He goes on to remind folks of the EternalBlue Timeline from 2017, which I will reiterate here along with this comment:
Do you really think no one will take advantage of this vulnerability? Are you willing to bet on that?
Almost two months passed between the release of fixes for the EternalBlue vulnerability and when ransomware attacks began. Despite having nearly 60 days to patch their systems, many customers had not.
A significant number of these customers were infected by the ransomware.
- March 14, 2017: Microsoft releases security bulletin MS17-010 which includes fixes for a set of SMBv1 vulnerabilities.
- April 14 2017: ShadowBrokers publicly releases a set of exploits, including a wormable exploit known as 'EternalBlue' that leverage these SMBv1 vulnerabilities.
- May 12, 2017: The EternalBlue exploit is used in ransomware attacks known as WannaCry. Hundreds of thousands of vulnerable computers across the globe are infected.
UPDATE May 28, 2019 – Brian Secrist
Developments have not slowed down around BlueKeep during Memorial Day weekend. Security researcher Robert Graham of Errata Security ran a scan against the internet for vulnerable machines and found that nearly 1 million machines were exploitable currently.
Researchers are not the only ones scanning for public facing machines. ZDNet has a great article detailing additional scanning activity through Tor exit nodes that has been detected by GreyNoise, a threat intelligence firm. The article also offered an important reminder:
“Until now, no one researcher or security firm has published any such demo exploit code -- for obvious reasons, since it could help threat actors start massive attacks.
Nonetheless, several entities have confirmed that they've successfully developed exploits for BlueKeep, which they intend to keep private. The list includes Zerodium, McAfee, Kaspersky, Check Point, MalwareTech, and Valthek.”
For those that have not patched BlueKeep yet, it is only a matter of time before the first malicious exploit is distributed. Make sure your environments do not contribute to the same historical toll that WannaCry inflicted.
UPDATE May 22, 2019 – Brian Secrist
The proof of concepts are beginning to mature where we are seeing far more demonstrations than before. BleepingComputer posted a great article today detailing the work of McAfee Lab’s Proof-of- Concept that begins to move beyond a Denial of Service attack that had been demonstrated before.
Within the demo, the security researchers executed elevated code on the endpoint opening calc.exe in this example. The alarming aspect of this seemingly benign action is that an attacker can run any arbitrary code on the endpoint, where potential malware could begin their spread throughout unpatched and vulnerable endpoints.
While the researchers have verified complete remediation through Microsoft’s patches from Patch Tuesday, they did offer mitigation options if necessary:
- Enable Network Level Authentication (NLA) which will block the pre-authentication aspect of this vulnerability. If an attacker has a lower privilege credential however, the attack may still spread.
- Disable the Remote Desktop service as this will completely block the attack vector if possible
UPDATE May 20, 2019 – Chris Goettl
Concept code is starting to pop up. Multiple researches have independently reached a point where they can effectively blue screen a system by exploiting the vulnerability. These cases have not been able to execute code yet.
Ivanti is hosting a live webinar on Wednesday, May 22, to discuss Everything You Need to Know About BlueKeep.
Microsoft has announced the BlueKeep vulnerability, a wormable Remote Desktop vulnerability that has a high potential of being exploited in legacy operating systems.
Be warned, this vulnerability can be exploited remotely with no authentication required. Protect yourself from what people are calling the next WannaCry.
In this special edition webinar, the Patch Tuesday team is back to give you insights into:
- Breaking news about the exploit
- What you need to know about BlueKeep
- Steps to protect your systems
- How to avoid issues like this in the future
- How Ivanti’s free 60 day trial of Ivanti Security Controls can help
UPDATE May 15, 2019
- Are You Ready For the New WannaCry? – James Ley
- Patch Tuesday Webinar – We discuss BlueKeep two minutes into the webinar.
UPDATE May 14, 2019 – Chris Goettl
Microsoft released the updates for May 2019 including resolutions for 85 unique vulnerabilities. Among these is CVE-2019-0708, which is a vulnerability in Remote Desktop Services (formerly Terminal Services). The vulnerability affects some currently supported Windows 7, Windows Server 2008 R2, and Windows Server 2008, but also out of support Windows XP and Server 2003. The CVSSv3 score for this vulnerability is a 9.8 base score and Microsoft has set a precedent for the severity of this vulnerability by releasing XP and 2003 updates to the public. The MSRC Team released this article urging companies to update Remote Desktop Services to help prevent a potential worm.
“This vulnerability is pre-authentication and requires no user interaction,” Pope said. “In other words, the vulnerability is ‘wormable,’ meaning that any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017. It is important that affected systems are patched as quickly as possible to prevent such a scenario from happening.”
Ivanti urges customers to patch this vulnerability as quickly as possible to reduce the potential impact. Wormable vulnerabilities are too attractive of targets to let pass. Exploit code is coming—it's just a matter of when.