Weapons for sale - weaponised BlueKeep ramps up exploit fears

News by Rene Millman

Organisations are urged to update systems to avoid attacks following concerns that exploits using the BlueKeep vulnerability may be soon available to hackers.

There are concerns that exploits using the BlueKeep vulnerability may be soon available to hackers after a US cyber-security company began selling a weaponised version of the flaw as part of a penetration testing utility.
The flaw, known as CVE-2019-0708, exists in the Remote Desktop Protocol (RDP) service included in older versions of the Windows operating system.
A patch for the bug was released by Microsoft mid-May, but many vulnerable systems remain unpatched; the flaw has been described as self-propagating and could spark a WannaCry-style malware outbreak.
In the meantime, the cyber-security industry has hoped that malware authors haven’t created code that exploits the flaw, which if unleashed onto the world could have grave consequences.
Concerns have been raised when it was announced by cyber-security company Immunity had included a fully-working BlueKeep exploit inside CANVAS v7.23, the company’s pen-testing toolkit. The BlueKeep module in Canvas can open a shell on infected hosts.
Other companies have developed exploits, but none have released code fearing the worst. While the utility is accessible only to a select band of customers, it is feared that hackers may gain access to the tool and use it for their own nefarious purposes.
Chris Doman, security researcher at AT&T Alien Labs, told SC Media UK that now  that you can purchase the BlueKeep exploit commercially, "It may not be long before we see it publicly available. Once it's publicly available, it's likely we'll see it used in criminal attacks within a couple of days," he warned.
While there is no evidence of malware authors getting their hands on legitimate BlueKeep exploits, researchers have discovered that operators of WatchBog, a botnet of hijacked Linux servers involved in cryptominiing, have added a BlueKeep scanner to malware used to recruit bots.
According to a blog post by Intezer, the latest version  of WatchBog implements a BlueKeep RDP protocol vulnerability scanner module, which suggests that WatchBog is preparing a list of vulnerable systems to target in the future or to sell to third party vendors for profit.
Paul Litvak, a security researcher with Intezer Labs said that the incorporation of the BlueKeep scanner by a Linux botnet may indicate WatchBog is beginning to explore financial opportunities on a different platform. 
"Currently, no known public RCE BlueKeep PoCs exist and it will be interesting to monitor this group once a PoC is published," he added.
Paul Ducklin, senior technologist at Sophos, told SC Media UK that even  though the Watchbog crew are scarily quick to adopt new exploits, anyone who patches promptly can still stay ahead. 
"Remember that for every day you don't patch against a known flaw, you've essentially turned it back into a zero-day as far as the crooks are concerned. If you still have a change control committee that talks in adopting security updates in months or weeks, rather than in days or hours, you probably need to change your change control committee!" he said.
Matt Aldridge, senior solutions architect at Webroot, told SC Media UK that this case highlights he dangers of directly presenting RDP services to the internet. 
"So many times we have seen brute force attacks being successful against this protocol and opening organisations up for rampant and repeated ransomware attacks. Such exposure should be absolutely avoided," he said.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews