Well, BlueKeep is finally upon us. Kind of. Six months after Microsoft first revealed CVE-2019-0708, the RDP-borne toxin that promised to bring the world’s Windows 7 and Windows Server 2008 systems to their knees, a mass exploit is finally in the wild.
At the beginning of November, security researcher Kevin Beaumont, who tracks a global honeynet of RDP-exposed machines, saw vulnerable machines crashing en masse. Marcus Hutchins, the security researcher who sinkholed the WannaCry worm, analyzed the malware involved and found that it was based on an exploit included in Rapid 7’s Metasploit pen testing tool on September 6.
Rather than the apocalyptic self-propagating malware that security researchers feared earlier this year, though, the attackers did little more than install a cryptocurrency miner on compromised machines. That was when the malware worked at all. A lot of the time, the victim’s machine just fell over and stopped moving.
That’s because BlueKeep is a technically difficult vulnerability to exploit properly, which is what gave us six months until this lame malware hit the scene.
Still, just because the worst hasn’t happened yet doesn’t mean it won’t. In a blog post late last week, Microsoft warned that a worm could still be in the offing.
“The new exploit attacks show that BlueKeep will be a threat as long as systems remain unpatched, credential hygiene is not achieved, and overall security posture is not kept in check,” it warned. “Customers are encouraged to identify and update vulnerable systems immediately.”
So how have people responded to two weeks of an in-the-wild BlueKeep exploit? They don’t seem any more worried than they were before. Researchers at the SANS Institute used the Shodan search engine to track systems that were vulnerable on port 3389 – the vulnerable RDP port – over the last few months. They’ve been gradually dropping since early September when Rapid 7 published the Metasploit exploit, but we do mean gradually, with a slight plateau in October.
Beaumont says that there are over 724,000 systems still exposed, and by his count this number hasn’t decreased significantly since July. There certainly hasn’t been the mad rush to patch systems that we might have hoped for, and according to SANS over 9% of systems with open RDP ports are still vulnerable.
“If somebody makes a reliable worm for this vulnerability – which to be clear has not happened here – expect global consequences as it will then spread inside internal networks,” Beaumont warned, arguing that when all’s said and done, it seems as though some systems are simply never patched.
