Microsoft warns that BlueKeep attacks could become more serious

Microsoft warns of BlueKeep attacks
Written by Valdis Koks

As it became known last week, the attackers began to exploit the BlueKeep vulnerability and now Microsoft warns that the BlueKeep attacks could become more serious.

While the bug is only used to spread the cryptocurrency miner, criminals do not use the full potential of the vulnerability that allows creating self-propagating malware, which in theory can lead to an epidemic, as was in the case with WannaCry and NotPetya.

However, Microsoft experts believe that more destructive attacks using BlueKeep await us in the future, and it’s too early to relax. The fact is that, according to BinaryEdge, the network still has more than 700,000 vulnerable Windows-systems (not counting those that are located inside private networks, behind firewalls), so by far not all useds installed patches.

“Although at the time of writing this article, there were no other attacks related to ransomware and other malware, BlueKeep’s operation will likely deliver other payloads that are more efficient and destructive than miners. BlueKeep can be operated without leaving obvious traces, and users should carefully check systems that may already be infected or compromised”, – warn experts in the company’s official blog, once again reminding users of the need to urgently install updates.

Recall the critical vulnerability CVE-2019-0708 (aka BlueKeep), associated with the operation of Remote Desktop Services (RDS) and RDP, was fixed by Microsoft in May this year. With this bug, attackers can execute arbitrary code without authorization and spread their malware like a worm. The issue is dangerous for Windows Server 2008, Windows 7, Windows 2003, and Windows XP, for which, due to the severity of the problem, security updates have been released.

Earlier, Microsoft experts warned about the danger of BlueKeep twice, and along with them the NSA, the US Department of Homeland Security, the Australian Cybersecurity Center, the UK National Cybersecurity Center and many others drew the attention of the NSA.

Specialists of several information security companies (including Zerodium, McAfee and Check Point), as well as independent researchers, developed their own proof of concept exploits for the vulnerability. However, these exploits were not published in the public domain because of too high risk of attack.

Read also: Windows 10 Update Disables Microsoft Defender

The situation changed in September this year, when the developers of Metasploit published a demo exploit for BlueKeep in open access. Now attackers adopted their decision.

However, so far, as the information security experts predicted, hackers have not been especially efficient: it is difficult to force an exploit to work as it should, without causing BSOD to occur.

About the author

Valdis Koks

Security engineer, reverse engineering and memory forensics

Leave a Comment