Microsoft has urged people to patch their Windows systems following the report of widespread attacks based on the BlueKeep vulnerability.
BlueKeep is the code name for a security hole dubbed CVE-2019-0708, first revealed in May 2019. The flaw, in Windows 7 and Windows Server 2008, allows attackers to break into a computer through the Windows Remote Desktop Protocol (RDP) – without bothering with the RDP logon screen first.
Exploiting the vulnerability was technically difficult, creating a tense race to patch systems in the wild before someone released an exploit.
There’s a full discussion of the BlueKeep attack in the Naked Security podcast this week:
LISTEN NOW
Click-and-drag on the soundwaves below to skip to any point in the podcast.
Security researcher Kevin Beaumont, who regularly monitors a network of honeypot devices to detect BlueKeep attacks, first raised the alarm on 2 November 2019:
https://twitter.com/GossiTheDog/status/1190654984553205761The crashes started on 23 October, he said.
Those machines were the canaries in the coal mine, as they only exposed the port used for the RDP service susceptible to the BlueKeep vulnerability.
However, the exploit wasn’t being used to spread a worm, according to MalwareTech, aka Marcus Hutchins.
In an analysis of the attack code, Hutchins found that it used a BlueKeep exploit published in Rapid7’s Metasploit pen testing suite on 6 September. Instead of self-propagating, the attack based on this exploit installed a cryptocurrency miner.
Microsoft already had eyes on the attack. In a blog post on 7 November, it said that the attacks on Beaumont’s RDP honeypot triggered a behavioural detection mechanism in its Defender Advanced Threat Protection (ATP) enterprise security service. The company had installed a filter to look for the Metasploit exploit in September, it said.
The behavioural detection mechanism detected 10 times as many crashes in RDP-enabled endpoints daily starting on 6 September, spiking from 10 to 100.
The company warned that this may not be the last BlueKeep exploit we see. It said:
Security signals and forensic analysis show that the BlueKeep Metasploit module caused crashes in some cases, but we cannot discount enhancements that will likely result in more effective attacks. In addition, while there have been no other verified attacks involving ransomware or other types of malware as of this writing, the BlueKeep exploit will likely be used to deliver payloads more impactful and damaging than coin miners.
The company repeated the same advice that it has been giving to people since it first revealed the BlueKeep exploit: patch your systems.
Naked Security Principal Research Scientist Paul Ducklin had this to say:
If you are worried about BlueKeep because you haven’t patched yet, then you are probably missing a full six months of patches to go along with the BlueKeep one, which came out back in May 2019.
So take this BlueKeep alert as a general-purpose wakeup call, and stop putting off those updates. Patch early, patch often, so you aren’t giving even unsophisticated cybercrooks a free pass into your network.
Bob Stromberg
Just to make things absolutely, perfectly, undeniably clear, if you have patched a Windows system in November, you’re safe, right? Do I need to do a manual “Check for Updates” and interpret the results? Asking on the part of busy retirees everywhere.
Paul Ducklin
That’s the theory :-) I recommend doing a manual update check on a regular basis as a matter of course, even if you usually update automatically, in order to ensure that that you really do have everything you need…
…but the theory is that the updates should act cumulatively, or as “rollups”, meaning that if you have update X+2 then you already have X+1 and if you have X+1 you have X, and so on. In other words, if the update check results shows no security updates missing, you can interpret that to mean that you have everything you need.
Don’t forget to check for updates for apps that aren’t covered by OS updates, and for plugins in your browser, and all those ancillary bits and pieces!
Anonymous
I have in my notes that there was a hanging issue when installing KB4499164 on Sophos endpoints. Has this been resolved?
Paul Ducklin
AFAIK it was resolved by Microsoft right back in May 2019. According to our own knowledge base:
“Update 24-05-2019. Microsoft and Sophos have been working closely to identify and resolve the issue. Microsoft has provided the following information:
Customers running Windows Defender ATP (Advanced Threat Protection) on Windows 7 or Windows Server 2008 R2 may see sporadic issues installing Windows updates. Microsoft is aware of the issue and is rolling out a fix to Windows Defender ATP over the coming 36 hours. No customer action is required. The fix will be automatically applied by the Microsoft Monitoring Agent Service.”
(The issue seems to have affected various software vendors – Windows 7 or 2008 R2 computers could ‘get stuck’ at 30% applying the May update, thus preventing the update from arriving. As mentioned above, it seems that Microsoft fixed this problem both quickly and automatically.)
https://community.sophos.com/kb/en-us/134117
G-Man
So this only affects Windows 7 and Server 2008? If you’re still running these you will be vulnerable again in January 2020 when Microsoft stops all support for these OSs. You shouldn’t be patching, you should be UPGRADING!
Paul Ducklin
Good point…
…although this is still a useful reminder of why patching isn’t something to be taken lightly!
Mahhn
upgrade,, to what SuperSpyware10 from MS? As much as it’s a pain, it looks like it’s Linux or nothing if we want security from backdoors (xbox, cortana, yourphone, and all the W10 unknowns) Exfiltrating data to MS, it will be abused by hackers eventually, and obviously by MS for analyzing “consumer” behavior, you know, for marketing purposes.