juanjo - stock.adobe.com
First BlueKeep attacks in the wild may be dark portents
Following months of warnings from law enforcement and the infosec community, the first BlueKeep exploit campaign was discovered in the wild and experts say it won't be the last.
From the moment Microsoft released a patch, there have been warnings about the potential damage BlueKeep attacks could cause in the wild, and now the first known campaign targeting the vulnerability has been detected.
Kevin Beaumont, a security researcher based in the U.K. who coined the name "BlueKeep," has been tracking the remote desktop protocol (RDP) vulnerability since it was disclosed and patched by Microsoft in May 2019. He built a global honeypot network in order to detect BlueKeep attacks in the wild, and on Oct. 23, he saw the first known exploitation of the RDP flaw.
On Nov. 2, Beaumont realized BlueKeep attacks caused crashes on the honeypots 66 times and so he brought in help from Marcus Hutchins, security researcher at Los Angeles-based threat intelligence vendor Kryptos Logic, to identify the exploit.
Beaumont saw the BlueKeep attacks were being used to deliver cryptominers to vulnerable systems, and he was not impressed with this.
"So far the content being delivered with BlueKeep appears to be frankly a bit lame -- coin miners aren't exactly a big threat -- however it is clear people now understand how to execute attacks on random targets, and they are starting to do it," Beaumont wrote in his analysis. "This activity doesn't cause me to worry, but it does cause my spider sense to say 'this will get worse, later.'"
In the weeks following the BlueKeep patch, researchers worked on proof of concept (PoC) exploits targeting the vulnerability. Security researchers from McAfee, Zerodium and Kaspersky developed, but did not release, PoC exploits. By early June, the Metasploit penetration testing software included a BlueKeep exploit module and by the end of July, Immunity was selling a pen testing tool that included a working exploit as well.
Hutchins confirmed in a blog post that the BlueKeep exploit shared shellcode with the Metasploit exploit module.
Tod Beardsley, director of research at Rapid7, the security and data analytics firm behind Metasploit, saw this borrowing of code as a good thing.
"Generally, the defense community is usually pretty happy when unsophisticated attacks borrow code from Metasploit, since Metasploit is pretty well-known and well-studied among vendors and practitioners alike. When bad guys use Metasploit code, it tends to make things easier for defenders to detect and respond to attacks," Beardsley told SearchSecurity. "It's the novel, privately developed techniques that are harder to defend against, since there's no open reference with which to develop defenses."
After BlueKeep was first patched, it was the focus of intense scrutiny by the infosec community because it could be wormable and spread like WannaCry did. Microsoft released two warnings that urged customers to patch; the National Security Agency issued a rare alert warning about the vulnerability; and, DHS' Cybersecurity and Infrastructure Security Agency also released an alert. Despite these warnings, more than 800,000 systems were found vulnerable as of July
The researchers found that the current BlueKeep attacks have no worm capabilities and each had different theories as to why there was such a long delay between BlueKeep being disclosed and widespread attacks.
Marcus HutchinsSecurity researcher, Kryptos Logic
Beardsley suggested it may have been because "it's a Windows kernel-based vulnerability, which is notorious in the exploit development community for being pretty difficult to exploit successfully."
"We often don't bother to try to implement such vulnerabilities in Metasploit, for exactly the reasons BlueKeep is demonstrating. Exploitation is difficult, even for seasoned exploit devs, and tend to be pretty unstable," Beardsley said. "It's clear that the cryptomining attacks going on now are pretty spray-and-pray -- if there's targeting involved, it wasn't working, since the exploit ended up repeatedly crashing honeypots around the world, which tells me not only are the targets not being selected for any particular reason, but also targets aren't being checked enough for exploit-suitability."
Hutchins told SearchSecurity via Twitter direct message that the actors behind these BlueKeep attacks have been scanning for vulnerable devices and are now "indiscriminately hacking every vulnerable system they can."
He added that he believes this will likely be the first of many BlueKeep attacks, because threat actors may have been holding back so as not to be the first in the wild.
"This is the first mass exploitation I'm aware of, but small-scale attacks have likely been going on since its release. I think most attackers were scared to mass exploit due to all the warnings drawing attention to BlueKeep," Hutchins said. "I think now there is a confirmation attackers are exploiting BlueKeep, it may make others more comfortable to do the same, as they wouldn't be the first and would blend in, reducing the fear of getting caught."