bluekeep vulnerability
  • Metasploit publishes a new BlueKeep exploit module that is working better than anything else we’ve had before.
  • The team of researchers is now testing and improving it to enable it to work on all environments.
  • The time of a BlueKeep botnet operation seems to be closing, as the number of vulnerable systems remains large.

Although we warned about the imminent weaponization of the BlueKeep (CVE-2019-0708) exploit since the end of July, it looks like researchers and malicious hackers are still far from managing to develop a reliable exploit. Metasploit, however, has just published a new exploit on GitHub, and it looks like it’s the closest that we got to weaponization so far. The module targets 64-bit Windows 7 and Windows 2008 R2 operating systems, and it is actually based on the PoC (proof of concept) code that was created by security researcher “@zerosum0x0”. The group of researchers added an improved general-purpose RDP protocol library and enhanced the RDP fingerprinting functionality, so it works well enough now.

However, that is not to say that the remote exploit is 100% reliable at this time. Metasploit wants to conduct multiple testing and verification rounds now, and hopefully, they will manage to extend the reliability of the module across a broader spectrum of environments. I say “hopefully”, because publishing an exploit that works has its positive side. First, it urges system admins to finally patch the vulnerability, and secondly, it empowers AV tools and enables them to detect and prevent the threat. Already, tools like the Bitdefender Hypervisor Introspection (HVI) were tested against the exploit and managed to catch and stop the module.

Right now, and according to reports that come from Rapid7, the owner of the Metasploit platform, there are still about 1 million unpatched nodes out there. Shodan search results indicate a number of around 300000 vulnerable systems. These systems are open to exploitation and are enough in number to justify a worm campaign that would be based on a working BlueKeep exploit module. Remember, Microsoft has patched BlueKeep since May 15, and multiple entities including the NSA and the DOHS have issued security advisories that urged people to update their systems. Some are still living under a rock, others cannot afford the time or resources to upgrade, while others didn’t take the threat seriously because a working exploit was apparently far.

Now, the urgency to upgrade is more imperative than ever, but some will inevitably remain vulnerable. One way to save these systems will be through the deployment of 3rd party protection tools. From a configuration point, configuring the remote desktop service with network-level authentication and avoiding the exposure of RDP to the internet until you’re ready to patch your system would help you stay safe in the meantime.

Do you believe that we are close to seeing BlueKeep botnet campaigns, or are we still safe for now? Let us know what you think in the comments down below, or join the discussion on our socials, on Facebook and Twitter.