Fearing WannaCry-Level Danger, Enterprises Wrestle with BlueKeep

Fears of a WannaCry-level global attack grow as working exploit info starts to go public.

The nightmare vision of a “mega-worm” global BlueKeep infection could be closer to becoming reality as working exploits are now becoming available to the public, and there’s evidence that adversaries are actively scanning for the vulnerability.

Researchers weighed in with Threatpost about how enterprises can thwart the critical Windows remote code-execution (RCE) vulnerability, even if immediate patching is too large an ask.

By way of background, the BlueKeep vulnerability (CVE-2019-0708) RCE flaw exists in Remote Desktop Services and impacts older version of Windows, including Windows 7, Windows XP, Server 2003, Server 2008 and Server 2008 R2. The main thing that sets BlueKeep apart is the fact that it’s wormable – and so it can self-propagate from machine to machine, setting up the scene for a WannaCry-level, fast-moving infection wave.

“BlueKeep is a use-after-free vulnerability, meaning that the program tries to use memory after it is supposed to have discarded it,” according to a May analysis from security firm Sophos. “The vulnerability lies in termdd.sys, which is the RDP kernel driver. A user can exploit this by opening an RDP connection to a remote computer called a channel – in this case a default RDP channel called MS_T210 – and sending specially crafted data to it.”

Security researchers have said that creating an exploit has been difficult, often leading to crashing and DoSing the target machine rather than RCE. However, some have been able to create working exploits (including the Department of Homeland Security), but have kept mum on the details in order to protect the public.

That changed last week when an exploit went up for sale via a security firm that would allow an attacker to run code remotely on the compromised machine and then create a worm that uses RDP to exploit other machines without any human interaction.

Immunity Inc. said via Twitter that it has added a working BlueKeep exploit module to its CANVAS automated exploitation platform, which is available as a subscription (albeit for an expensive monthly rate):

Dave Aitel, CTI at Immunity’s parent company, Cyxtera, said via email that the company decided to release the exploit because “it’s important for organizations to understand their actual risk and determine if their defenses are effectively protecting them.”

When asked why a full RCE exploit in the tool and not just a scanner to find vulnerable systems, he added, “Our objective is to help customers solve their risk problems. It’s not just about BlueKeep – there will always be another vulnerability that comes along and puts you at risk. Many modern systems do anomaly detection on network traffic, or endpoint behavioral analysis to catch exploitation of flaws like BlueKeep. Testing these kinds of systems requires a working RCE exploit. Likewise, simply doing a demo to upper management of “here is us hacking our systems” is a common use for red teams as they gather support to replace or upgrade their systems. The end goal should be addressing the entirety of risk rather than focusing on any single exploit.”

He said that it took about two months to develop the exploit, and that “it’s getting more stable all the time.” The company plans to update it regularly.

Meanwhile, on GitHub, proof-of-concept code detailing a workable exploit has appeared in at least two places, according to researchers at Sophos. First, a series of Chinese-language slides that claim to explain how to exploit the vulnerability were posted. Then, a researcher published a Python PoC that works on Windows XP (but would probably crash Windows 7 or Server 2008 machines, he said). Sophos said that the latter posting doesn’t include an executable shellcode payload, but that the information is enough to help threat actors get disturbingly far along the road to mounting a real-world campaign.

The firm Intezer at the same time has found that the bad guys are starting to actively scan for the vulnerability.

“We have discovered a new version of WatchBog—a cryptocurrency-mining botnet operational since late 2018—that we suspect has compromised more than 4,500 Linux machines in newer campaigns taking place since early June,” researchers there explained last week. “Among the new Linux exploits, this version of WatchBog implements a BlueKeep RDP protocol vulnerability scanner module, which suggests that WatchBog is preparing a list of vulnerable systems to target in the future or to sell to third-party vendors for profit.”

Overall, the tipping point on BlueKeep campaigns starting to appear in the wild appears to be approaching sooner rather than later, according to BitSight director of security research Dan Dahlberg.

“The threat to these unpatched systems is continuing to grow, and the milestones achieved by both nefarious actors and those in the security community is demonstrating that the barrier to exploitability using this vulnerability is continuing to decrease,” he told Threatpost. “Unpatched systems not only remain a threat to those organizations operating them but also to their third parties, organizations and end-users that do business with them. Unfortunately with the escalation of exploit development and with the remediation pattern that we have been observing, we might not see widespread application of a patch before these systems and others end up being compromised.”

Patches for CVE-2019-0708 appeared in May. The BlueKeep concern is big enough that Microsoft even took the unusual step of deploying patches to Windows XP and Windows 2003, which are end-of-life and no longer supported by the computing giant. It has also issued multiple follow-on advisories urging administrators to patch. However, the patching process is going slowly.

As of July 2, approximately 805,665 systems remain online that are vulnerable to BlueKeep, according to a recent status update from the firm – down from 1 million in May.

The number of susceptible systems represents a decrease of 17.18 percent (167,164 systems) compared to May 31, including 92,082 systems which remain externally exposed that have been patched. This translates to an average decrease of 5,224 exposed vulnerable exposed systems per day, between patching, taking them offline and replacing them.

In other words, the security effort isn’t going fast enough, according to researchers.

“There is very little time from when an internet-facing endpoint is made available to when it starts to undergo attack,” said Justin Fox, director of DevOps for NuData Security, speaking to Threatpost. “While Microsoft has released a patch for BlueKeep, the rollout has been slow by organizations. Organizations need to react faster to patch vulnerabilities – software related issues are not new.”

Richard Gold, head of security engineering at Digital Shadows, told Threatpost that patching issues have a few root causes.

“I have spoken to some of our customers and one of the major issues that they have is simply finding all the machines that are vulnerable,” he said. “Then, secondarily, is the issue of taking those machines offline to patch, particularly in the cases where there is not a hot standby, a secondary system which can be used to cover for the primary.”

There are alternative mechanisms to patching, including typical mitigating network technologies, Fox said.

“Similar to VPN-based protection, if the endpoint must be internet-facing, securing it with RADIUS (multifactor authentication) and using firewall software to rate limit or restrict traffic access is crucial,” he said. “These technologies can even be applied to internal-only VDI endpoints, mitigating internal threats. AWS provides these mitigations and there are easy-to-access services that software architects or engineers can use to build their VDI solutions.”

Mike Weber, vice president at Coalfire, told Threatpost that taking systems away from being web-facing is a good first step.

“We urge organizations to at a minimum block RDP access from the internet while they plan for the patch,” he told Threatpost.

However, he stressed that patching is not optional, thanks to the wormable aspect of the vulnerability.

“This is not a problem that only impacts internet-exposed systems,” he stressed. “Patching internal systems is imperative to protecting your business. Delivering code to a workstation inside a network is a trivial task – it happens all the time via phishing attacks. If an attacker were to package this exploit into a phishing payload designed to search for vulnerable systems and exploit those, it could potentially result in compromise of your entire enterprise. Companies must learn from previous large-scale examples, such as NotPetya, that patching is an essential part of any security program.”

Interested in more on patch management? Don’t miss our free Threatpost webinar, “Streamlining Patch Management,” now available on-demand. Please join Threatpost editor Tom Spring and a panel of patch experts as they discuss the latest trends in Patch Management, how to find the right solution for your business and what the biggest challenges are when it comes to deploying a program. Click here to listen (registration required).

Suggested articles