In July, we hosted a webinar talking about the top 5 cyber threats of 2019 so far. One threat that came up was BlueKeep. Our security analyst Shawn Pope briefly discussed the appearance of BlueKeep and how it’s a threat that has the potential to be as big as WannaCry. Per usual, Shawn was right. Today, BlueKeep is on the rise making a strong appearance in organizations.
Here’s what he had to say back in July…
Shawn Pope: A few months ago, we were made aware of this BlueKeep vulnerability -- and we uncovered this vulnerability is present in almost every current Windows operating system, excluding Windows 10. So Windows 7, Windows 2003, 2008 server—these are all vulnerable to this RDP exploit. At a recent Metasploit talk, they released what’s called a module, and in this particular case it’s an exploit module, so somebody that has metasploit can easily leverage this module. Again, metsaploit is easy to use maliciously if you want.
So, they made this module to where you can find the vulnerable RDP system use Metasploit and ultimately gain a remote shell on that system. When I say shell, that means I am able to run commands on your computer as whomever. I might be a user, but, I can also do previous escalation to try and get to administrator. So, this was released last week and it's open to the world. I could see this being a big deal and I'm talking on the scale of WannaCry.
I would if you have RDP out there, highly recommend taking steps to mitigate this. You can disable it if it's not necessarily something you need to use, you can patch it. Microsoft just released patches which tells you right here how bad it is, because XP has been outdated for a while and they don't release patches for this anymore. They went back and released a patch for this because it's so severe. So you can patch it, disable it, or cut it off at the edge and shut it down, or if it does need to be used, make it where it's only coming from IPs that you know and hosts that you trust. But this is definitely something I would keep on your radar.
After this webinar, our Security Analytics Team have been keeping an eye out for BlueKeep since it’s release. As of recently, according to our SATNews, a new cyberattack that is believed to be the very first attempt to weaponize the infamous BlueKeep RDP vulnerability in the wild to mass compromise vulnerable systems for cryptocurrency mining. BlueKeep has been a serious threat since its discovery, Microsoft and even government agencies has continuously been encouraging Windows users and admins to apply security patches before hackers gain hold onto their systems.
Even many security firms and individual cybersecurity researchers who successfully developed a fully working exploit for BlueKeep pledged not to release it to the public for a greater good-especially because nearly 1 million systems were found vulnerable even a month after patches were released.
Though sophisticated hackers may have already been exploiting the BlueKeep flaw to stealthy compromise targeted victims, the flaw has not yet been exploited at a larger scale, like WannaCry or NotPetya wormable attacks. At the time of writing, it's unclear how many BlueKeep vulnerable Windows systems have been compromised in the latest cyberattacks to deploy the Monero miner in the wild.
How to Prevent BlueKeep
- Make sure to patch and update your Windows operating systems as soon as possible.
- Disable unused RDP services
- Configure RDP properly
- Ensure you have a multi-layered security approach
- 24x7 threat monitoring. If BlueKeep is going to turn out anything like WannaCry, it’s important that your network is monitored 24x7x365.