Microsoft has urged people to patch their Windows systems following the report of widespread attacks based on the BlueKeep vulnerability.
BlueKeep is the code name for a security hole dubbed CVE-2019-0708, first revealed in May 2019. The flaw, in Windows 7 and Windows Server 2008, allows attackers to break into a computer through the Windows Remote Desktop Protocol (RDP) – without bothering with the RDP logon screen first.
Exploiting the vulnerability was technically difficult, creating a tense race to patch systems in the wild before someone released an exploit.
There’s a full discussion of the BlueKeep attack in the Naked Security podcast this week:
Click-and-drag on the soundwaves below to skip to any point in the podcast.
Security researcher Kevin Beaumont, who regularly monitors a network of honeypot devices to detect BlueKeep attacks, first raised the alarm on 2 November 2019:
huh, the EternalPot RDP honeypots have all started BSOD'ing recently. They only expose port 3389. pic.twitter.com/VdiKoqAwkr— Kevin Beaumont (@GossiTheDog) November 2, 2019
The crashes started on 23 October, he said.
Those machines were the canaries in the coal mine, as they only exposed the port used for the RDP service susceptible to the BlueKeep vulnerability.
However, the exploit wasn’t being used to spread a worm, according to MalwareTech, aka Marcus Hutchins.
In an analysis of the attack code, Hutchins found that it used a BlueKeep exploit published in Rapid7’s Metasploit pen testing suite on 6 September. Instead of self-propagating, the attack based on this exploit installed a cryptocurrency miner.
Microsoft already had eyes on the attack. In a blog post on 7 November, it said that the attacks on Beaumont’s RDP honeypot triggered a behavioural detection mechanism in its Defender Advanced Threat Protection (ATP) enterprise security service. The company had installed a filter to look for the Metasploit exploit in September, it said.
The behavioural detection mechanism detected 10 times as many crashes in RDP-enabled endpoints daily starting on 6 September, spiking from 10 to 100.
The company warned that this may not be the last BlueKeep exploit we see. It said:
Security signals and forensic analysis show that the BlueKeep Metasploit module caused crashes in some cases, but we cannot discount enhancements that will likely result in more effective attacks. In addition, while there have been no other verified attacks involving ransomware or other types of malware as of this writing, the BlueKeep exploit will likely be used to deliver payloads more impactful and damaging than coin miners.
The company repeated the same advice that it has been giving to people since it first revealed the BlueKeep exploit: patch your systems.
Naked Security Principal Research Scientist Paul Ducklin had this to say:
If you are worried about BlueKeep because you haven’t patched yet, then you are probably missing a full six months of patches to go along with the BlueKeep one, which came out back in May 2019.
So take this BlueKeep alert as a general-purpose wakeup call, and stop putting off those updates. Patch early, patch often, so you aren’t giving even unsophisticated cybercrooks a free pass into your network.