When Microsoft issued the first patch in years for Windows XP in May 2019, you knew that something big was brewing. That something was a wormable Windows vulnerability that security experts warned could have a similar impact as the WannaCry worm from 2017. The BlueKeep vulnerability exists in unpatched versions of Windows Server 2003, Windows XP, Windows Vista, Windows 7, Windows Server 2008 and Windows Server 2008 R2: and it’s now been confirmed that a BlueKeep exploit attack is currently ongoing.
A little bit of BlueKeep history
Microsoft twice warned users to update vulnerable Windows systems, first on May 14, and then again with even more urgency on May 30. Those warnings appeared to go unheeded in enough numbers to warrant an escalation on the update alerts. On June 4, the National Security Agency (NSA) took the unusual step of publishing an advisory urging Microsoft Windows administrators to update their operating system or risk a “devastating” and “wide-ranging impact” in the face of a growing threat. This warning was given even more gravitas on June 17 when the U.S. Government, via the Cybersecurity and Infrastructure Security Agency (CISA), issued an “update now” activity alert. At much the same time, security researchers were predicting that a “devastating” BlueKeep exploit was only weeks away.
The Windows BlueKeep exploit attack
Security researchers, including Kevin Beaumont who originally named the vulnerability and Marcus Hutchins (also known as MalwareTech) who was responsible for hitting the kill switch that stopped the WannaCry, have confirmed that a widespread BlueKeep exploit attack is now currently underway. Hutchins told Wired that “BlueKeep has been out there for a while now. But this is the first instance where I’ve seen it being used on a mass scale.”
It would appear that rather than a wormable threat, where the BlueKeep exploit could spread itself from one machine to another, the attackers are searching for vulnerable unpatched Windows systems that have Remote Desktop Services (RDP) 3389 ports exposed to the internet. This dampens the panic that there could be another WannaCry about to happen, although the potential for such a scenario, albeit on a much smaller scale, certainly remains. For now though, this looks like being an attack campaign with a cryptocurrency miner payload.
BlueKeep exploit attack mitigation
While there is always the possibility that the threat actors behind this attack could drop more malicious payloads than a crypto-miner, for now, this acts as yet another warning for users of the 700,000 or so still vulnerable Windows systems to get patching. Cryptocurrency miners are resource hogs at best, and a roadmap that further malware installations could follow. In the case of this attack, though, there’s another problem to be aware of: the exploit code isn’t all that. It would appear that the attackers are using the demo exploit code released by the Metasploit team at Rapid7 in September 2019, but without enough coding skills to get this to work without it causing a Blue Screen of Death (BSOD) error.
Seriously folks, if you are using one of the vulnerable versions of Windows, then what more is it going to take to get you to apply the update that fixes the BlueKeep vulnerability? I’d have thought that a wormable exploit, even if it hasn’t been “wormed” on this occasion, that vampires your system resources or crashed your machine was warning enough. But, hey, what do I know?