Multiple researchers created proof-of-concept exploits, including remote code execution attacks, targeting the recently patched Windows Remote Desktop flaw called BlueKeep.
Microsoft patched a critical Windows Remote Desktop vulnerability last week and the risks of attacks in the wild have since grown as multiple researchers have created proof-of-concept exploits.
The Windows RDP flaw, dubbed “BlueKeep” by British security researcher Kevin Beaumont, gained notoriety because when Microsoft patched it, Simon Pope, Microsoft Security Response Center director of incident response, wrote in an advisory that malware exploiting the vulnerability could spread in the same worm-like fashion as WannaCry because an exploit would require no user interaction. Microsoft even took the rare step — as it did with WannaCry — to release patches for otherwise unsupported Windows XP and Server 2003 systems.
Since the BlueKeep patch was released on May 14, Beaumont has tracked the progress of security researchers. Although fake proof of concept (PoC) exploits was uploaded to GitHub almost instantly, it wasn’t until the 19th that working denial-of-service exploits were created by McAfee and Zerodium, followed by Kaspersky Labs researcher Boris Larkin on the 20th.
On May 21, McAfee researchers described a BlueKeep PoC exploit it created capable of remote code execution (RCE), but did not release the code under concern that it would “not be responsible and may further the interests of malicious adversaries.”
“With our investigation we can confirm that the exploit is working and that it is possible to remotely execute code on a vulnerable system without authentication. Network Level Authentication should be effective to stop this exploit if enabled; however, if an attacker has credentials, they will bypass this step,” McAfee researchers wrote in a blog post. “We are urging those with unpatched and affected systems to apply the patch for CVE-2019-0708 as soon as possible. It is extremely likely malicious actors have weaponized this bug and exploitation attempts will likely be observed in the wild in the very near future.”
Beaumont said on Twitter that McAfee, Zerodium and Qihoo 360 all have RCE BlueKeep PoC exploits — though they have only been demoed and no PoC code has been released — but he noted that Qihoo 360 security researcher Zheng Wenbin, known as MJ0011, was a step ahead because that RCE exploit could run on Windows 7. Earlier today, Wenbin showed off a stable RCE demo running on Windows 7 x64.
As yet, no BlueKeep attacks have been seen in the wild, but researchers at Proofpoint have seen low levels of scanning activity looking for vulnerable systems.
“We have started to observe BlueKeep CVE-2019-0708 scanning activity, likely due to the public release of a scanner and/or Qihoo360’s CERT tool going live. Beginning (roughly) around May 22nd, 2 pm UTC-7. Nothing to be majorly concerned about right now, the volume is incredibly low,” Proofpoint researcher sudosev tweeted. “Since volume is so low, I wouldn’t be surprised if this is scanner testing as opposed to somebody genuinely mass hunting for vulnerable servers, don’t get into a panic over this.”
Code Execution Vulnerability Identified in Change Healthcare Cardiology DevicesA vulnerability has been identified in Change Healthcare Cardiology, McKesson Cardiology, and Horizon Cardiology devices. The vulnerability could be exploited by a locally authenticated...
29% of Small Businesses Spend Less Than $1,000 on IT Security Annually and Why They Are The Most Targeted
29% of Small Businesses Spend Less Than $1,000 on IT Security Annually and Why They Are The Most TargetedThe digital and network footprint of small businesses is continually growing. Online commerce, social media, remote workers, and cloud-based IT infrastructure are...
What Other Companies Can Learn from Facebook’s $5 Billion Fine and Why Privacy MattersWhile Facebook’s $5 billion settlement stands as the largest fine in the history of the Federal Trade Commission (FTC), one must take into consideration that not every company is...
Stay Up to Date With The Latest News & Updates
Join Our Newsletter
Get weekly tech updates and immediate alerts when there is a zero-day or security issue!