FacebookTwitterLinkedIn

The BlueKeep Saga

When news broke about the Spectre and Meltdown vulnerabilities at the start of 2018 a lot of fuss was made as to how potentially dangerous these vulnerabilities were if exploited correctly. The fuss may have been justified as it may have provoked people to update their systems when patches were released. Even if you are not Nostradamus you could predict that a similar vulnerability would grab headlines for the danger it posed. That vulnerability did come forth in May of this year, CVE-2019-0708, named BlueKeep. The jury is still out on whether it needed the attention given to it and whether it posed the danger, namely been wormable, as advertised. Microsoft is still warning users that the threat is real and can be leveraged in dangerous attacks.

The latest warning by the Redmond tech giant comes as security researchers Kevin Beaumont and Marcus Hutchins discovered that BlueKeep was been used in the wild to distribute malware. The vulnerability itself was classified as an unauthenticated remote code execution vulnerability in Remote Desktop Services on Windows 7, Windows Server 2008, and Windows Server 2008 R2. Microsoft released a patch on May 14 and it is advised that IT departments including admins ensure that the patch has been installed. What was discovered by researchers was that hackers were attempting to use the vulnerability to gain access to vulnerable systems to install a coin miner, a specific piece of malware designed to use a machine's CPU to mine cryptocurrency.

bluekeep saga

The discovery was made in October and researchers noted that the same command and control server used in the attack was seen been used in an attack in September, also distributing a coin miner. Researchers also noted that often attempts to exploit BlueKeep would result in system crashes and the end-user been presented with the fabled blue screen of death, one of the reasons the vulnerability was named Bluekeep. The attackers in this instance have not overcome the likelihood of a crash, however, when the target system did not crash the coin miner was installed. Microsoft detected coin miner infections on machines in mainly France, Russia, Italy, Spain, Ukraine, Germany, and the United Kingdom. Once the attacker found a vulnerable machine they attempt to use BlueKeep to gain access to the machine. Once access is gained the exploit runs a script via the PowerShell which in turn downloads and executes several other PowerShell scripts.

Microsoft warns that further, more serious, attacks leveraging BlueKeep are a distinct possibility stating that,

“Security signals and forensic analysis show that the BlueKeep Metasploit module caused crashes in some cases, but we cannot discount enhancements that will likely result in more effective attacks. In addition, while there have been no other verified attacks involving ransomware or other types of malware as of this writing, the BlueKeep exploit will likely be used to deliver payloads more impactful and damaging than coin miners…The new exploit attacks show that BlueKeep will be a threat as long as systems remain unpatched, credential hygiene is not achieved, and overall security posture is not kept in check. Customers are encouraged to identify and update vulnerable systems immediately. Many of these unpatched devices could be unmonitored RDP appliances placed by suppliers and other third-parties to occasionally manage customer systems. Because BlueKeep can be exploited without leaving obvious traces, customers should also thoroughly inspect systems that might already be infected or compromised.”

Initially Wormable

When details of the vulnerability were released Microsoft warned that BlueKeep could be exploited in such a way that it could be spread from one vulnerable machine to another across a network. This lateral movement occurred during the WannaCry outbreak which made international headlines in 2017. This ability of certain malware strains to spread laterally is often described as being “wormable”. A worm is often defined as a piece of malware that spreads by replicating itself across other machines. The process of replication is done without human intervention and is a feature of the malware. The only requirement it is believed for BlueKeep to spread in this way is that another computer on the same network has not had the vulnerability patched.

Microsoft again warned on May 30 that the vulnerability could be exploited by wormable malware. This time it was noted that nearly a million computers were vulnerable to BlueKeep and had not been patched despite the patch been released earlier that month. It was noted that many of those vulnerable machines were connected to corporate networks. To date, there have been no wormable attacks exploiting BlueKeep but Microsoft still warns, for a third time, that other RDP attacks are possible, with researchers stating,

“Customers are encouraged to identify and update vulnerable systems immediately. Many of these unpatched devices could be unmonitored RDP appliances placed by suppliers and other third-parties to occasionally manage customer systems. BlueKeep can be exploited without leaving obvious traces, customers should also thoroughly inspect systems that might already be infected or compromised.”

Whether it is proved that BlueKeep is indeed wormable or not is no reason not to patch vulnerable systems. The reality is that a coin miner has been seen distributed in the wild to leverage the vulnerability. While not able to distribute laterally across the network yet, it may in the future. Despite this RDP attacks are nothing to scoff at as they often do not require end-user interaction, rather they need to exploit a vulnerability to initially gain access to a vulnerable computer then malicious code can be executed at will. In the future, it may not be coin miners, but banking trojans or ransomware being distributed.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal