Exploiting the BlueKeep Windows bug in the worm state released in nature

For months, security professionals have been worried about the release of attack code exploiting BlueKeep, the critical vulnerability of older versions of Microsoft Windows, which can be transmissible, which means it can spread from one source to another. computer to another without user interaction. On Friday, this dreaded day came when the Metasploit framework – an open source tool used by White Hat and Black Hat hackers – launched such a feat in the wild.

The module, which has been published as a work in progress on Github, does not yet have the finish and reliability of the exploit EternalBlue developed by the NSA, and then stolen from it. For example, if people using the new module specify the wrong version of Windows they want to attack, they may end up with a blue screen crash. In order for the exploit to work on server computers, one must also change the default settings in the form of a registry change that activates the audio sharing.

In contrast, the vermiform exploit EternalBlue – that's still an unidentified group calling itself Shadow Brokers released in the wild in April 2017 – was working seamlessly with a wide range of versions of Windows in their settings by default. A month after the leak, EternalBlue was incorporated into the wannacry ransomware worm that shut down computers worldwide. A month later, another attack led by EternalBlue, called NotPetya, created even more destruction around the world.
The latest vulnerability, indexed CVE-2019-0708 but better known as BlueKeep, resides in earlier versions of Remote Desktop Services, which provide a graphical interface for connecting to Windows computers over the Internet. When Microsoft corrected the vulnerability in May, it warned that computers that could not install the patch could suffer the same fate if a reliable attack code became available. The reason: Just like the flaw exploited by EternalBlue, BlueKeep allowed automatic replication attacks. Like a falling domino line, a single exploit could spread from a vulnerable machine to a vulnerable machine without interaction with end users.

The risk was so great that Microsoft again implored customers to patch a month after it was released. NSA officials also urged people to install the patch.

A big deal

As noted earlier, the module released by Metasploit developers on Friday is not as advanced as the EternalBlue exploit that has been leaked, but it remains quite effective. And this is both good news and bad news for people defending the systems against malicious attacks.

"The release of this exploit is a big deal because it will make a reliable exploit available to security professionals and malicious actors," said Hans Hanson, developer, who contributed to the work on the publication. "I hope the exploit will be used primarily by offensive teams to demonstrate the importance of security patches, but we will likely see criminal groups modify it to also provide ransomware software."

He continued:

It is not very often that you see Microsoft issue a warning as they did with this bug. I am sure the warning has prompted defense teams to be more diligent in ensuring that all vulnerable systems are corrected promptly, which was the purpose of the warning. However, the Microsoft warning was more of a challenge "Capture the flag" for those of us who are offensive. I rarely reverse the security patches, but I became very curious and I decided to reverse it as a learning exercise and also to understand why Microsoft was considering this. bug as if dangerous. Just days after the fix, users began sharing evidence that they had already canceled the fix and caused a crash. Shortly after, the proof of the successful execution of the code was shared by several people, including myself.

Although several people have publicly proven code execution, no one has published his PoC, which, I suppose, is because we all understood exactly why Microsoft had warned everyone of the dangers of this bug. Shortly after people began to show evidence of code execution, the NSA also issued a notice regarding the risks associated with BlueKeep. With all the warnings and risks associated with this bug, it is quite significant that an exploit is publicly released for the first time. Especially after so many researchers have kept their privacy policy private.

One machine is enough

Sean Dillon, a security researcher at RiskSense, is another of the main developers of this publication. Friday's release is almost identical to the BlueKeep operating video he released in June. It showed that the module connecting to an unpatched Windows Server 2008 R2 computer and using the exploit had highly privileged system privileges. Dillon then used the open source Mimikatz application to obtain cryptographic hashes for passwords belonging to other computers on the same network to which the hacked machine was connected.

The possibility of emptying the credentials used to connect to other computers highlights a major danger posed by the vulnerability. Only one vulnerable machine can be used to infect all other machines in a network, even if they are totally up to date. Dillon's video graphically depicted this threat in June. With the open source code now available for anyone to review, rewrite or reuse, the risk will be even harder to ignore.

"As an open-source project, one of Metasploit's guiding principles is that knowledge is more powerful when it is shared," said Brent Cook, of Metasploit, in an article published on Friday. those who rely on open-source tools to understand and mitigate risks effectively. "