Microsoft Issues Fresh BlueKeep Alert: Public Exploits Exist and the Pending Attacks

Microsoft issued another warning regarding the BlueKeep vulnerability in Remote Desktop Services (CVE-2019-0708) after publishing online proof-of-concept exploits for the vulnerability.

Microsoft issued fixes for the vulnerability on May 14, 2019. Patches were also made available for unsupported versions of Windows.

The critical vulnerability could be exploited remotely through Remote Desktop Protocol (RDP) with no need for user interaction. Identifying unpatch devices is not difficult. Robert Graham of Errata Security did a scan of the web and found nearly 1 million devices yet to be patched or protected by following Microsoft’s proposed mitigations. Graham isn’t the only one who has performed scans for unpatched devices. Scans have increased recently, which seem to indicate that cybercriminals are getting ready for attacks.

Issuing a fresh warning is a strange move for Microsoft. It has fulfilled its responsibilities when it released patches. However, its decision to release another warning was because of the increasing risk of vulnerability exploitation. A number of security companies claim to have created exploits for the vulnerability and proof-of-concept exploit code has been uncovered online. Microsoft is positive that viable exploits for the vulnerability can be found.

A number of people have shared counterfeit POC code for the vulnerability on the web, though security researcher Chase Dardaman tried one public DOS POC for BlueKeep which he proved to be real.

The fix was released two weeks ago and no sign of a worm has been reported. This doesn’t mean that the problem is over. In the WannaCry attacks, the MS17-010 patch was released two months before the attacks using the EternalBlue exploit started. Many organizations failed to apply the patch. Until now, two years after, there are still WannaCry ransomware attacks. A recent report state that 40% of healthcare companies were attacked with WannaCry over the last 6 months and there is no sign the attacks would stop.

The most recent vulnerability does not have an effect on Windows 8 and Windows 10, but it could affect older Windows versions including Windows XP, Windows 2003, Windows 7 and Windows Server 2008. A lot of businesses have made the upgrade to Windows, however, many healthcare organizations still use legacy Windows operating systems on some devices.

Microsoft still strongly advise the updating of all affected systems as soon as possible. Just one vulnerable computer linked to the internet could potentially be a gateway into corporate networks spreading advanced malware and infecting computers everywhere.

The NSA also issued a warning through its Central Security Service division regarding another global malware attack similar to WannaCry, using the EternalBlue exploit developed by NSA.