Earlier this week, the Cybersecurity and Infrastructure Security Agency (CISA) issued an alert on the vulnerability referred to as BlueKeep.
Also known as CVE-2019-0708, BlueKeep exists within the Remote Desktop Protocol (RDP) and has been lying dormant for some time after it was initially discovered. If exploited, it could have severe consequences as “the protocol and vulnerability is identical across all vulnerable platforms,” according to Marcus Hutchins, whose actions halted the last wormable exploit. The Microsoft Windows operating systems affected include:
- Windows 2000
- Windows Vista
- Windows XP
- Windows 7
- Windows Server 2003
- Windows Server 2003 R2
- Windows Server 2008
- Windows Server 2008 R2
There has been some discussion about the impact of the vulnerability if it were to be widely exploited, with Errata Security’s Rob Graham saying that he was able to find “nearly one million devices on the public internet that are vulnerable to the bug” and if exploited, it “would be capable of rapidly spreading in a fashion similar to the WannaCry malware attacks of 2017.”
Speaking to Infosecurity, Chris Goettl, director of security solutions at Ivanti, said that most threat actors do not release something and see what happens, “they want to build a successful campaign around that” and this requires a platform to build on, and there are exploits and phishing campaigns that are needed as well as an infrastructure to take orders. This takes time to set up, and Goettl made the point that despite all of the impact of WannaCry, it only made around $170,000 in total, while the operators of the SamSam ransomware made $330,000 a month.
Goettl speculated that BlueKeep “would be incredibly wasted on a ransomware campaign” as the potential of this “shows that it needs to go in another direction.” One option would be to use this for the purpose of Cryptomining, where this would be hard to detect and potentially successful in terms of the size of the impact.
“If they were to get that same 200,000 systems for a period of five months at the average rate that the average device produces GPU to create cryptocurrency, that type of campaign could net as much as $40m,” he said. This would require an infrastructure to distribute the malware, and Goettl said that if a threat actor were working on this they would take “days to weeks to figure out this campaign” to maximize the return on investment.
He added that security researchers have been able to develop exploits for the vulnerability, but have not disclosed them, while Metasploit has added a module and he said that if vendors have figured it out, you can be sure that the threat actors have done so as well.
“We’ve not seen anything yet, but it is matter of getting all of the pieces in place to launch a successful campaign,” he said. “Either that, or somebody waiting for the use of it as another social disruptor, they could be waiting for circumstances to be right geopolitically.”
So is it a case of who makes the effort to exploit first? Goettl said that the Eternal exploits are still being used and infections are being reported, but as there are a million public-facing RDP systems that are vulnerable to this exploit “it is still a very exposed nerve.”
All of this may seem to be rather gloomy, but patches have been released and the remediation process may not actually be too complicated. Goettl explained that there was also additional mitigation advice released, while recommendations have been shared on how to avoid being exploited even without applying the patch.
As well as BlueKeep, Goettl also warned of the GoldBrute botnet, which is currently brute forcing a list of about 1.5 million RDP servers exposed to the internet, according to Morphus Labs.
“Locking down something like RDP in general, not just plugging the vulnerability but turning on NLA, putting public facing RDP services behind a VPN and making sure you’ve done those things to mitigate these risks, including using strong passwords and that they are changed frequently – all of these are just general security practices that any company can do to be able to mitigate the BlueKeep threat, and also be able to thwart things like GoldBrute from being successful.”
Goettl said that companies often struggle to do these things as the process of adding a VPN can require time and training, while patching is the process that companies still find challenging.
In conclusion, Infosecurity asked Goettl if he felt that with this level of preparation, are we on top of any potential damage that BlueKeep could cause? He said that we’re better educated this time around, but there are still too many people who are not taking it seriously enough.
“We were just getting to a point where a lot of companies were starting to reign in and make some headway on vulnerability management, and now with the shift to DevOps and the shift in general, we have to retrain ourselves,” he said. “We still have to double down on getting things rolled out faster, plugging the critical vulnerabilities sooner.”