Microsoft has urged IT teams to act fast to secure critical Windows systems against the BlueKeep unauthenticated remote code vulnerability.
This comes after security researcher Kevin Beaumont observed a honeypot experiencing crashes caused by a BlueKeep exploit module for the Metasploit penetration testing framework on 2 November 2019, suggesting the vulnerability is now being exploited in the wild.
BlueKeep, which is also known as CVE-2019-0708 and has been described as potentially as serious a vulnerability as WannaCry, affects remote desktop services on Windows 7, Windows Server 2008, and Windows Server 2008 R2.
Successfully deployed, it will allow attackers to run code that will let them accomplish several goals, including installing their own software programs and creating user accounts with full admin rights. A patch has been available since the May 2019 Patch Tuesday, but, predictably, hundreds of thousands of systems remain unpatched.
Microsoft said its researchers saw an increase in crashes related to remote desktop protocol (RDP), likely linked to the use of the unstable BlueKeep Metasploit module as long ago as 6 September, when the module was released, and an increase in memory corruption crashes starting on 9 October.
It pointed out that it had already deployed a behavioural detection for the BlueKeep Metasploit module, so users of its Defender ATP product should have been protected from it by the time Beaumont observed it attacking his honeypot network. However, this does not mean the threat has passed.
“Security signals and forensic analysis show that the BlueKeep Metasploit module caused crashes in some cases, but we cannot discount enhancements that will likely result in more effective attacks,” said Microsoft’s Defender ATP research team in a blog post highlighting the developing situation around BlueKeep.
“In addition, while there have been no other verified attacks involving ransomware or other types of malware as of this writing, the BlueKeep exploit will likely be used to deliver payloads more impactful and damaging than coin miners.”
This is a reference to a September coin mining campaign spotted by Microsoft, which contacted the same command-and-control infrastructure used during the October BlueKeep Metasploit campaign. In cases where this exploit did not cause a system crash, it was observed installing a coin miner. The September attacks were likely initiated as port scans for machines with vulnerable, internet-facing RDP services, said Microsoft.
Once found, the attackers used the BlueKeep Metasploit module to run a series of PowerShell scripts that ultimately led to the coin miner download. The payloads were seen mostly in France and Russia, but also in the UK, which is where the attacker-controlled server that hosted it seems to be located.
“BlueKeep will be a threat as long as systems remain unpatched, credential hygiene is not achieved, and overall security posture is not kept in check,” said Microsoft.
“Customers are encouraged to identify and update vulnerable systems immediately. Many of these unpatched devices could be unmonitored RDP appliances placed by suppliers and other third parties to occasionally manage customer systems.
“Because BlueKeep can be exploited without leaving obvious traces, customers should also thoroughly inspect systems that might already be infected or compromised.”