Time to Patch: BlueKeep Exploit Is Now Up For Sale

A U.S. company has recently made available, for a fee, a BlueKeep Exploit, that takes advantage of a security vulnerability in the Remote Desktop Protocol (RDP) service included in older versions of the Windows operating system.

While the commercial availability of this BlueKeep exploit gives legitimate cybersecurity professionals a tool to detect exposed RDP-enabled systems, it also gives malicious actors an opportunity to pirate or legitimately buy this tool for malicious activities.

What Is BlueKeep?

BlueKeep, officially known as CVE-2019-0708, is a vulnerability in the Remote Desktop Protocol (RDP) service included in Windows 7, Windows Server 2008 R2, Windows Server 2008, Windows 2003 and Windows XP. Remote Desktop Protocol, commonly referred to as RDP, is a proprietary protocol developed by Microsoft. This protocol allows a computer user to access another computer over the internet.

On May 14, 2019, Microsoft issued a security update, also known as patch, fixing the BlueKeep security vulnerability. “To exploit this vulnerability [CVE-2019-0708/BlueKeep], an attacker would need to send a specially crafted request to the target systems Remote Desktop Service via RDP,” Microsoft said. “An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”

Microsoft sees BlueKeep vulnerability as highly critical, prompting it to uncharacteristically issue a security update even to out-of-support operating systems, including Windows 2003 and Windows XP. In a blog post “Prevent a worm by updating Remote Desktop Services (CVE-2019-0708)”, Simon Pope, Director of Incident Response, Microsoft Security Response Center (MSRC), wrote that CVE-2019-0708 “is ‘wormable’, meaning that any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017”. On May 12, 2017, the WannaCry malware spread to hundreds of thousands of computers worldwide in less than 24 hours.

Following the Microsoft security update, cybersecurity agencies in different countries, including the US, UK, Germany and Canada issued a corresponding security alert. “The vulnerability [CVE-2019-0708/BlueKeep] allows a remote, unauthenticated actor to run arbitrary code on some Microsoft operating systems running RDS [Remote Desktop Services],” the Canadian Centre for Cyber Securitysaid. “This vulnerability is ‘wormable’, meaning that exploits of this vulnerability could automatically propagate from one vulnerable system to another.”

BitSightreported that as of July 2, 2019, approximately 805,665 affected Windows operating systems remain online that are vulnerable to BlueKeep. This number of vulnerable computers, BitSight said, is lower by 17.18% compared to the May 31, 2019 data which showed 972,829 vulnerable Windows operating systems exposed online.

BlueKeep Exploits

Immunity Inc., which was recently acquired by Cyxtera, announced via Twitter that it’s including a fully-working BlueKeep exploit within CANVAS, the company’s penetration-testing toolkit which costs between thousands and tens of thousands of US dollars. Immunity released a video showing how CANVAS BlueKeep can achieve remote code execution, allowing an attacker to take over a vulnerable computer by running arbitrary malicious code via opening a shell on infected hosts.

“We happen to be the first commercial company to include this in our product so companies can test to see if their exposed RDP-enabled systems are actually secure against the vulnerability,” Chris Day, Cyxtera’s Chief Cybersecurity Officer and GM, told ZDNet. Day said that their BlueKeep exploit isn’t “self-propagating”, that is, this exploit isn’t capable of propagating from vulnerable computer to vulnerable computer.

Aside from Immunity Inc., other cybersecurity researchers and cybersecurity companies have developed fully-working BlueKeep exploits. They, however, declined to publicly release the proof-of-concept code for fear that this would be abused by malicious actors.

In June this year, reverse engineer Zǝɹosum0x0 tweetedthat he developed a fully-working BlueKeep exploit but he intends to keep the details in private as it’s still “too dangerous to release”. Zǝɹosum0x0 also released a video showing a snippet on how his remote code-execution (RCE) exploit worked on a Windows 2008 desktop and enabled the installation and running of Mimikatz, a tool used by malicious actors to harvest login credentials.

Researchers at McAfee Labs Advanced Threat Research, for their part, developed their own fully-working BlueKeep exploit that made it possible to remotely execute code on a vulnerable Windows operating system without authentication and launch the calculator application. Aside from the mentioned details, researchers at McAfee Labs Advanced Threat Research declined to provide in-depth details about the exploit or publicly release a proof of concept. “As a patch is available, we decided not to provide earlier in-depth detail about the exploit or publicly release a proof of concept,” McAfee researchers said. “That would, in our opinion, not be responsible and may further the interests of malicious adversaries.”

Best Practices – How to Mitigate the Risk

Disabling Remote Desktop Protocol (RDP) and enabling Network Level Authentication are two cybersecurity best practices against BlueKeep. Enabling Network Level Authentication, however, won’t prevent BlueKeep attacks in case the attackers get hold of the credentials needed for Network Level Authentication.

The best defence against BlueKeep is by keeping your Windows operating system up to date, specifically applying Microsoft’s May 14, 2019 security update. Applying the latest security update is particularly beneficial if your organization is still using older versions of the Windows operating system, in particular, Windows 7, Windows Server 2008 R2, Windows Server 2008, Windows 2003 and Windows XP.

When you need help keeping your business secure and vulnerability free or looking for a fully-managed IT solution, our Information Technology experts are a phone call away.

Call today (416) 920-3000or email sales@genx.ca