When news broke about the Spectre and Meltdown vulnerabilities at the start of 2018 a lot of fuss was made as to how potentially dangerous these vulnerabilities were if exploited correctly. The fuss may have been justified as it may have provoked people to update their systems when patches were released. Even if you are not Nostradamus you could predict that a similar vulnerability would grab headlines for the danger it posed. That vulnerability did come forth in May of this year, CVE-2019-0708, named BlueKeep. The jury is still out on whether it needed the attention given to it and whether it posed the danger, namely been wormable, as advertised. Microsoft is still warning users that the threat is real and can be leveraged in dangerous attacks.
The latest warning by the Redmond tech giant comes as security researchers Kevin Beaumont and Marcus Hutchins discovered that BlueKeep was been used in the wild to distribute malware. The vulnerability itself was classified as an unauthenticated remote code execution vulnerability in Remote Desktop Services on Windows 7, Windows Server 2008, and Windows Server 2008 R2. Microsoft released a patch on May 14 and it is advised that IT departments including admins ensure that the patch has been installed. What was discovered by researchers was that hackers were attempting to use the vulnerability to gain access to vulnerable systems to install a coin miner, a specific piece of malware designed to use a machine's CPU to mine cryptocurrency.
The discovery was made in October and researchers noted that the same command and control server used in the attack was seen been used in an attack in September, also distributing a coin miner. Researchers also noted that often attempts to exploit BlueKeep would result in system crashes and the end-user been presented with the fabled blue screen of death, one of the reasons the vulnerability was named Bluekeep. The attackers in this instance have not overcome the likelihood of a crash, however, when the target system did not crash the coin miner was installed. Microsoft detected coin miner infections on machines in mainly France, Russia, Italy, Spain, Ukraine, Germany, and the United Kingdom. Once the attacker found a vulnerable machine they attempt to use BlueKeep to gain access to the machine. Once access is gained the exploit runs a script via the PowerShell which in turn downloads and executes several other PowerShell scripts.
Microsoft warns that further, more serious, attacks leveraging BlueKeep are a distinct possibility stating that,
“Security signals and forensic analysis show that the BlueKeep Metasploit module caused crashes in some cases, but we cannot discount enhancements that will likely result in more effective attacks. In addition, while there have been no other verified attacks involving ransomware or other types of malware as of this writing, the BlueKeep exploit will likely be used to deliver payloads more impactful and damaging than coin miners…The new exploit attacks show that BlueKeep will be a threat as long as systems remain unpatched, credential hygiene is not achieved, and overall security posture is not kept in check. Customers are encouraged to identify and update vulnerable systems immediately. Many of these unpatched devices could be unmonitored RDP appliances placed by suppliers and other third-parties to occasionally manage customer systems. Because BlueKeep can be exploited without leaving obvious traces, customers should also thoroughly inspect systems that might already be infected or compromised.”
When details of the vulnerability were released Microsoft warned that BlueKeep could be exploited in such a way that it could be spread from one vulnerable machine to another across a network. This lateral movement occurred during the WannaCry outbreak which made international headlines in 2017. This ability of certain malware strains to spread laterally is often described as being “wormable”. A worm is often defined as a piece of malware that spreads by replicating itself across other machines. The process of replication is done without human intervention and is a feature of the malware. The only requirement it is believed for BlueKeep to spread in this way is that another computer on the same network has not had the vulnerability patched.
Microsoft again warned on May 30 that the vulnerability could be exploited by wormable malware. This time it was noted that nearly a million computers were vulnerable to BlueKeep and had not been patched despite the patch been released earlier that month. It was noted that many of those vulnerable machines were connected to corporate networks. To date, there have been no wormable attacks exploiting BlueKeep but Microsoft still warns, for a third time, that other RDP attacks are possible, with researchers stating,
“Customers are encouraged to identify and update vulnerable systems immediately. Many of these unpatched devices could be unmonitored RDP appliances placed by suppliers and other third-parties to occasionally manage customer systems. BlueKeep can be exploited without leaving obvious traces, customers should also thoroughly inspect systems that might already be infected or compromised.”
Whether it is proved that BlueKeep is indeed wormable or not is no reason not to patch vulnerable systems. The reality is that a coin miner has been seen distributed in the wild to leverage the vulnerability. While not able to distribute laterally across the network yet, it may in the future. Despite this RDP attacks are nothing to scoff at as they often do not require end-user interaction, rather they need to exploit a vulnerability to initially gain access to a vulnerable computer then malicious code can be executed at will. In the future, it may not be coin miners, but banking trojans or ransomware being distributed.