First BlueKeep Exploit Hits – Have Lessons Been Learned?

Sivan Nir Nov 21, 2019

A couple of weeks ago, the world woke up to the news of the first BlueKeep exploit. This exploit has been expected since May, when Microsoft took the unusual step of releasing patches for out-of-support product versions alongside a warning that, “it is possible that we won’t see this vulnerability incorporated into malware. But that’s not the way to bet.”

This move by Microsoft underscored BlueKeep’s severity: the vulnerability (CVE-2019-0708) lives in Windows Remote Desktop (a standard Windows service), doesn’t require user interaction to be exploited, and allows the execution of foreign code. All of this means that a user with a vulnerable Windows server exposed to the internet is vulnerable to direct attack. More than that, the vulnerability is “wormable”, which means that it can automatically spread among any number of networked systems after one has been compromised.

  • The First BlueKeep Exploit

It’s easy to imagine some of the initial panic that set in after suspicious Blue Screens of Death started popping up in the honeypots of malware researchers, indicating BlueKeep activity. However, the first BlueKeep exploit landed with less of a bang and more of a whimper. Whether, despite, or because of the powerful potential of the vulnerability, the exploit was purely interested in profit generation. It bore none of the worm-like characteristics that were signposted by both Microsoft and the US government.

The payload in the first BlueKeep exploit is a cryptocurrency miner that accumulates Monero for the malware dispatcher from the infected machine. And that’s all it does: it doesn’t travel to its peers for further infection. Because of how short it falls of the damage that could be caused by a BlueKeep attack and because the attacker chose to mine at this scale, it’s likely that the exploit is the work of an opportunistic amateur rather than that of a sophisticated threat actor.

  • What About the Next BlueKeep Exploit?

The fact that the first BlueKeep exploit was less devastating than it could have been shouldn’t be cause for too much celebration. In the weeks following the initial attacks, Microsoft has been on high alert. Its security team has reinforced its position – that companies should patch immediately – multiple times since the cryptocurrency miners were first spotted. It has also this week taken the somewhat surprising step of denying rumors that a recent ransomware attack was connected to the BlueKeep vulnerability. To its credit, the tech giant is doing everything that it can to help its users to protect against the first major exploitation of the wormable vulnerability.

This doesn’t mean that users are necessarily taking Microsoft’s warnings to heart. Analysis by the SANS Institute showed that there was minimal uptick in patching activity after the mining exploit. Considering how high profile the vulnerability is and how severe an exploit can be, this lack of urgency should be cause for concern. Another more serious attack is likely, and the lessons learned from WannaCry about timely and comprehensive patching shouldn’t be forgotten. Businesses and individuals alike need to ensure that they’re ready for it.

  • Mitigating BlueKeep

To understand how to mitigate the cryptocurrency mining exploit, it’s first necessary to understand how the criminals managed to gain access. The well-known default RDP port 3389 is surmised to have been left open on victim machines, as it was on the honeypot computers whose raison d’être was to detect this exact type of attack. The only users who will fall victim to this attack will be those who leave this port open and are otherwise not protecting their system with the relevant Windows updates. These are both inactions that fly in the face of recommendations by the security industry and all responsible authorities – anybody practicing good cyber hygiene should be safe.

Otherwise, the most important thing you can do to protect against BlueKeep is to apply the patches supplied by Microsoft back in May. If you’re working with large, fragmented networks this will be more complex than it sounds. Further advice about how to mitigate BlueKeep through passive vulnerability assessment, exposure analysis of vulnerability scan results, and determining reachability of vulnerable assets can be found in this blog.

Sivan Nir is a senior analyst in the Skybox Research Lab, a team of dedicated vulnerability researchers who aggregate and analyze vulnerability data from more than 30 public and private vulnerability data sources. Sivan has more than 10 years’ experience  in business intelligence data analysis. Sivan holds an MBA and a bachelor’s degree in Biotechnology Engineering.

Read More

BlueKeep Wormable Vulnerability Brings Back WannaCry Memories
Read More
TSMC WannaCry Hits OT Plants with a Hefty Price Tag
Read More
Why We’re Still Talking About WannaCry and You Should Too
Read More