Following reports of the first attacks for the BlueKeep RDP flaw affecting Windows PCs, Microsoft has issued an alert for admins to patch all Remote Desktop protocol (RDP) services immediately.
Last week UK researchers Kevin Beaumont and Marcus Hutchins detailed new BlueKeep attacks designed to install cryptominers on compromised machines. A honeypot Beaumont created to detect BlueKeep exploitation showed signs that multiple machines in his honeypot began crashing and rebooting in late October.
The good news was that it wasn’t being used to spread ransomware via a WannaCry-like worm that Microsoft initially warned could happen if someone figured out a reliable exploit for BlueKeep. The bad news is that they finally could be figuring out how it be used to create maximum damage.
Microsoft last week detailed how it began working with the UK-based researchers after their report on new exploitation of BlueKeep, which is tracked as CVE-2019-0708. Microsoft issued a fix for the bug on May 14.
The attacks observed in late October used an exploit released by the Metasploit penetration testing project in September, following warnings over this event by spy agencies in the UK, Australia, and the US.
But a notable aspect of the attacks Beaumont’s honeypot found was that the malware was not a self-propagating worm, reducing its immediate threat compared to WannaCry.
In this case, Microsoft said its intelligence gathering found that current BlueKeep exploit attempts “involved human operators aiming to penetrate networks via exposed RDP services”, likely relying on manual port scans to find vulnerable machines with RDP services exposed on the internet.
In other words, the exploit still lacked the automation that made WannaCry’s exploitation of the file-sharing SMB protocol so dangerous. Plus, the exploit still frequently caused Blue Screen of Death (BSOD) error messages and crashes, making it an unstable exploit.
According to Microsoft, the main countries where this attack loaded the relevant coin miner were France, Russia, Italy, Spain, Ukraine, Germany, the United Kingdom, which represented 71% of all known cases. The remaining 29% occurred in other countries. The only country in Beaumont's honeypot that didn't experience a crash in October was Australia.
Hutchins also pointed out a key difference between BlueKeep and WannaCry that makes the former still a significant threat, even if the attack isn’t currently a worm.
WannaCry could overwhelm a network by the attacker just scanning the internet for vulnerable servers and, if the attacker found a network that had SMB exposed to the internet, it was very likely every device on that network was also vulnerable.
“BlueKeep is different," Hutchins wrote in a Twitter thread on Friday. "Not only is the number of externally facing vulnerable machines low enough to infect with a couple servers. But also, RDP is only enabled by default on Windows Server operating systems.”
“Because Windows clients don't expose RDP by default, unlike SMB, a BlueKeep worm wouldn't be able to pivot to systems within a network like WannaCry did. Furthermore, I'd guess it's fairly likely that if one of the network's RDP servers is exposed to the internet, the[y] all are.”
The point being that Windows PCs treat RPD differently to SMB, and a BlueKeep worm would attract attention since it cause BSOD crashes. The BlueKeep worm would also require customization to exploit each version of affected Windows due to the particularities of the bugs and protocols each exploit.
But BlueKeep is potentially still a valuable attack tool. Windows Server devices that are vulnerable to BlueKeep have special privileges on the network and often share the same local admin credentials with the rest of the network, he explains.
So a worm may not quickly overtake a network of vulnerable machines, but attackers have now learned that Windows Server devices are more likely to be vulnerable BlueKeep and they're valuable because they're privileged servers that can be used to spread malware, such as coinminers or ransomware, using standard hacking tools to other devices on the same network.
“By compromising a network server, it is almost always extremely easy to use automated tooling to pivot internally (Ex: have the server drop ransomware to every system on the network),” he wrote.
“The real risk with BlueKeep is not a worm. A worm is pointless and noisy. Once an attacker is on the network, they can do far more damage with standard automated tools than they could ever do with BlueKeep.”
Jessica Payne, a Microsoft security researcher with Windows Defender Security Research, appeared to agree with Hutchins’ conclusions, warning attackers may use the BlueKeep attack to replace guessing or ‘brute force’ attacks on the password for RDP services.
“While BlueKeep absolutely can be used for lateral movement, it’s very likely to be used to replace RDP brute force in attacker arsenals. One unpatched forgotten system with Domain Admin service account or matching Local Admin passwords quickly leading to a Samas/LockerGoGa event,” she wrote.
The security researcher @zerosum0x0 who developed the BlueKeep exploit that was integrated into Metasploit has also detailed why his exploit code was causing crashes.
He explained in a blogpost that he developed BlueKeep exploits on lab machines that lacked Microsoft’s patch for the Meltdown, the name for the CPU attacks that exploit speculative execution techniques used in most modern CPUs to improve performance. The Spectre and Meltdown CPU attacks were announced in January 2018.
Microsoft developed Kernel Virtual Address (KVA) Shadow as its answer Meltdown, which on Linux systems was known as Kernel Page-Page-Table Isolation (KPTI).
Microsoft’s KVA Shadow broke a technique used in @zerosum0x0’s BlueKeep attack, which caused the BSODs on machines in Beaumont’s honeynet.
@zerosum0x0, Sean Dillan, a security security researcher from RiskSense, has now developed a fix for the issue in his exploit causing the BSOD problem.
Dillan told ZDNet that a forthcoming update to the BlueKeep Metasploit exploit “will support kernels patched for Meltdown and does not even need a KVA Shadow mitigation bypass.”
The bad news is that attackers should soon have a method of exploiting BlueKeep without triggering a BSOD error, plus the added advantage of understanding BlueKeep's strengths and limitations beyond that it is a wormable bug.