- A pen testing company released a Python proof of concept that shows how to conduct BlueKeep remote code execution.
- Researchers are worried about this leaking and falling into the wrong hands, with devastating results.
- There are about 800k systems out there that remain vulnerable no matter the warnings, so the threat is real.
The doomsday clock of BlueKeep, the vulnerability in Microsoft’s Remote Desktop Protocol that was first discovered in May 2019 is now closer to midnight than ever before. These systems still remain vulnerable as they have not applied the May 15 patch that Microsoft rolled out for all versions of Windows, including the long-unsupported Windows XP, Server 2003, Server 2008, and Windows 7. The criticality of the vulnerability that is identified as “CVE-2019-0708” is such that Microsoft fears a new “WannaCry”. The BlueKeep menace is a wormable vulnerability that can potentially facilitate self-propagation of malware.
So far, malicious actors did not demonstrate the capacity to weaponize BlueKeep through an RCE vulnerability and create a worm attack that would start a global infection. Cybersecurity experts, organizations, and even governments were hoping that the situation would stay the same for a little while longer, as there are still tens of thousands of outdated systems that remain vulnerable to the flaw. However, the time of “waiting” is now over, as a pen-testing expert called “Immunity Inc.” has released a proof of concept (PoC) code that concerns a module which exploits BlueKeep. As seen in the following video, Immunity demonstrates how a remote code execution scenario could work, so it is nothing like the RDP exploitations that were surfacing on GitHub so far.
Immunity’s module is not self-propagating, so it’s not operating as a worm right now. The cybersecurity expert is selling the Python PoC through Canvas, for penetration testing. Naturally, the release of the PoC has caused concerns to cyber-security researchers who fear that the code could leak to darknet channels, resulting in the development of a BlueKeep worm. Others, however, point out that Immunity controls who buys their exploit, and the chances are that a public exploit gets developed sooner than Immunity’s PoC leaks out.
Whatever the case, one thing is for sure, and that is that a BlueKeep vulnerability is soon to get weaponized by someone with ill intentions. That said, the only way to deal with the threat right now is to patch the vulnerable systems. In the start of the month, these systems were estimated to be about 800 thousand, so there’s still a lot of work to be done on that part. Multiple sources right now report that there are more and more actors who are scanning the internet for BlueKeep vulnerable systems, while an increasing number of botnet campaigns are adding BlueKeep scanners to their malware.