Working BlueKeep Exploit Developed by DHS

microsoft patch tuesday

The Department of Homeland Security urged system administrators to update their Windows machines after testing a working BlueKeep exploit for Windows 2000.

The Department of Homeland Security has confirmed it has developed a working exploit for the “wormable” BlueKeep vulnerability. The agency issued an alert on Monday urging Windows users to update their machines as soon as possible.

The alert heightens concerns that malicious actors could soon also develop their own exploits of the BlueKeep flaw. The critical remote code execution vulnerability (CVE-2019-0708), though fixed during Microsoft’s May Patch Tuesday Security Bulletin, continues to plague the security industry. Experts have warned that it could pave the way for a similar rapidly-propogating attack on the scale of the devastating 2017 WannaCry attack.

The The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) confirmed on Monday that it was able to exploit the flaw on a Windows 2000 machine, which marks another operating system impacted by the flaw that was not part of Microsoft’s original alert: “CISA has coordinated with external stakeholders and determined that Windows 2000 is vulnerable to BlueKeep,” according to its advisory.

The critical bug exists in Remote Desktop Services and impacts older versions of Windows, including Windows 7, Windows XP, Server 2003 and Server 2008, Microsoft said in its original alert. This original alert did not mention Windows 2000 machines.

While Microsoft has released patches for a number of operating systems that are no longer officially supported, including Windows Vista, Windows XP, and Windows Server 2003, the company will not patch Windows 2000 systems, according to a TechCrunch report.

“We strongly recommend that any customers using Windows 2000 should update to a supported operating system as soon as possible,” a Microsoft spokesperson told Threatpost. “Modern operating systems include built-in protections against this, and many other threats.”

Support for Windows 2000 machines ended in 2010. For Windows users running on systems that cannot be patched, CISA recommended that they upgrade end-of-life operating systems, disable unnecessary services and enable network level authentication.

For those who are running on systems for which patches are available, CISA joined Microsoft, the National Security Agency and others in urging system administrators to update as soon as possible, warning of the potential WannaCry-level event.

“The Cybersecurity and Infrastructure Security Agency is issuing this Activity Alert to provide information on a vulnerability, known as ‘BlueKeep,’ that exists in the following Microsoft Windows Operating Systems, including both 32- and 64-bit versions, as well as all Service Pack versions,” according to CISA’s alert.

The multiple warnings are warranted. As of the end of May, one million devices were still vulnerable to BlueKeep.

Worries around the vulnerability are mounting: Earlier in June, a researcher created a proof-of-concept Metasploit module for the critical BlueKeep vulnerability, which successfully demonstrates how to achieve complete takeover of a target Windows machine.

At the same time, threat actors are actively sniffing out vulnerable devices. Researchers with GreyNoise in May said that they are “observing sweeping tests for systems vulnerable to the RDP ‘BlueKeep’ (CVE-2019-0708) vulnerability from several dozen hosts around the Internet.”

Satnam Narang, senior research engineer at Tenable, said that the level of attention by CISA and other organizations is “certainly warranted.”

“The writing is on the wall; BlueKeep has the potential to cause widespread devastation, similar to the Wannacry worm in 2017,” he said in an email. “Organizations must act and patch vulnerable systems, or implement mitigations if patching isn’t easily viable.”

Ransomware is on the rise: Don’t miss our free Threatpost webinar on the ransomware threat landscape, June 19 at 2 p.m. ET. Join Threatpost and a panel of experts from Malwarebytes, Recorded Future and Moss Adams as they discuss how to manage the risk associated with this unique attack type, with exclusive insights into new developments on the ransomware front and how to stay ahead of the attackers.

Suggested articles

biggest headlines 2020

The 5 Most-Wanted Threatpost Stories of 2020

A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year.