Researcher Posts Demo of BlueKeep Exploit of Windows DeviceMeanwhile, NSA Issues Alert Stressing Urgency of Patching
A security researcher has posted a proof-of-concept demonstration showing how an attacker could exploit the so-called BlueKeep vulnerability to take over a Windows device in a matter of seconds.
Meanwhile the U.S. National Security Agency has issued an alert urging organizations to patch devices that have the BlueKeep vulnerability.
The researcher, who goes by the handle Zǝɹosum0x0, released a demonstration of this exploit earlier this week for Metasploit, an open source penetration testing toolkit. Because a large number of Windows devices remain unpatched for the BlueKeep vulnerability, the researcher did not release the full code, citing the danger that someone is likely to exploit it for malicious purposes.
Rough draft MSF module. Still too dangerous to release, lame sorry. Maybe after first mega-worm?— zǝɹosum0x0 (@zerosum0x0) June 4, 2019
PATCH #BlueKeep CVE-2019-0708
The video and demo Zǝɹosum0x0 released on Tuesday shows the exploit completing a full takeover of a vulnerable Windows machine within 22 seconds. Security researchers are urging IT teams to apply the patch Microsoft released on May 14 as soon as possible.
In May, Microsoft took the unusual step of issuing two separate security warnings about BlueKeep, a vulnerability within the company's Remote Desktop Protocol service that could enable attackers to use a worm-like exploit to take over devices running unpatched older Windows operating systems (see: Microsoft Sounds Second Alarm Over BlueKeep Vulnerability).
The vulnerability affects Windows XP, Windows 7, Windows 2003 and Windows Server 2008, the company notes. Newer versions of Windows, including Windows 8 and Windows 10, are not affected.
Some researchers have compared BlueKeep to EternalBlue, the Windows vulnerability that later opened the door to the WannaCry and NotPetya ransomware attacks of 2017. Because the BlueKeep vulnerability does not require user interaction, an exploit could spread malware from one vulnerable machine to another within a network in the same way that the WannaCry ransomware was "wormable."
Although Microsoft released a patch for BlueKeep on May 14, one researcher recently estimated that nearly 1 million devices remain unpatched and vulnerable (see: 1 Million Windows Devices 'Vulnerable to Remote Desktop Flaw').
In addition to Microsoft's warnings, the NSA on Tuesday released its own alert concerning BlueKeep this week, urging IT and security teams to apply to patch before malicious exploits are released.
"It is likely only a matter of time before remote exploitation code is widely available for this vulnerability," according to the NSA alert. "NSA is concerned that malicious cyber actors will use the vulnerability in ransomware and exploit kits containing other known exploits, increasing capabilities against other unpatched systems."
Besides applying the patch, the NSA recommends security teams take three other steps to keep attackers from taking advantage of BlueKeep:
- Block TCP Port 3389 at the firewall, because the port is used by the Remote Desktop Protocol and attackers could use an open port to establish a connection to the network;
- Enable network-level authentication because an attacker would need valid credentials to perform remote code authentication;
- Disable Remote Desktop Services if these tools are not being used.
Only a Matter of Time
As the Zǝɹosum0x0 proof-of-concept shows, it's only a matter of time before an attacker takes advantage of BlueKeep. As part of his demonstration, Zǝɹosum0x0 shows the exploit working on an unpatched machine running Windows Server 2008.
The researcher showed how an attacker could also use the credential-stealing tool Mimikatz to gather even more data, including administration passwords and logins, and take over the entire device.
Besides this demonstration,Zǝɹosum0x0 and other researchers have released their own BlueKeep scanning tools to check for vulnerable devices without crashing the network.
Other security firms have also developed exploits to take advantage of this type of Remote Code Execution. For instance, McAfee published a post about an exploit it developed, although all the code remains private.
Zerodium, Kaspersky, Check Point, MalwareTech and Valthek have also developed private exploits for BlueKeep to demonstrate how vulnerable unpatched systems are to this flaw.
Last week, British security researcher Marcus Hutchins, who discovered the "kill switch" that helped stem the WannaCry attacks two years ago, wrote that some people are posting fake code to GitHub and other software repositories to hide or obscure the truly dangerous exploits being developed.