The recent attacks exploiting the BlueKeep vulnerability to deliver cryptocurrency miners caused some systems to crash due to a Meltdown patch being deployed on the targeted machines.
The BlueKeep vulnerability, officially tracked as CVE-2019-0708, affects Windows Remote Desktop Services (RDS) and it allows an unauthenticated attacker to execute arbitrary code by sending specially crafted Remote Desktop Protocol (RDP) requests. Microsoft released patches, including for unsupported versions of Windows, in May.
The BlueKeep attacks used an exploit based on a Metasploit module released in September. While the attackers attempted to deliver a Monero miner, the exploit caused many of the targeted systems to crash, which actually led to researchers discovering the attacks.
Researcher Sean Dillon, aka zerosum0x0, who is one of the developers of the BlueKeep Metasploit module, has conducted an analysis and determined that the exploit likely causes devices to crash due to the presence of a patch for the Intel CPU vulnerability known as Meltdown. Dillon said his BlueKeep exploit development setup did not have the Meltdown patch installed, which is why he did not observe the crashes.
The researcher has proposed a fix that should make the exploit more reliable. In the meantime, Kevin Beaumont, the expert whose honeypots caught the BlueKeep exploitation attempts, says he has deployed more sensors, including ones that have been configured to make exploitation more stable. However, he stopped seeing attacks three days ago.
Beaumont’s honeypots started crashing on October 23, but he only realized that the crashes were caused by BlueKeep exploitation attempts on November 2. After Beaumont reported seeing attacks, Microsoft admitted that it had started noticing an increase in RDP-related crashes right after the Metasploit module was released in September.
Microsoft has once again advised customers to install the patches and warned that the exploit will likely also be used to deliver more “impactful and damaging” payloads.
While Microsoft and many others were concerned that the BlueKeep vulnerability would be used to create a worm, similar to how the EternalBlue exploit was used by the WannaCry ransomware back in 2017, the recent attacks did not involve a self-propagation component.
However, Marcus Hutchins, aka MalwareTech, the British researcher who helped Microsoft and Beaumont analyze the BlueKeep attacks, pointed out that attackers do not need to create a worm to launch profitable attacks and users should not ignore the threat just because a worm has not been created.
“Most BlueKeep vulnerable devices are servers. Generally speaking, Windows servers have the ability to control devices on the network. Either they’re domain admin, have network management tools installed, or share the same local admin credentials with the rest of the network,” Hutchins explained.
“By compromising a network server, it is almost always extremely easy to use automated tooling to pivot internally (Ex: have the server drop ransomware to every system on the network),” the researcher added.
“The real risk with BlueKeep is not a worm. A worm is pointless and noisy. Once an attacker is on the network, they can do far more damage with standard automated tools than they could ever do with BlueKeep,” Hutchins said.
There are still roughly 700,000 systems that appear to be vulnerable to BlueKeep attacks and the fact that malicious actors have started exploiting the flaw in the wild does not appear to have had any positive impact on patching efforts. The SANS Institute’s Internet Storm Center reported that the media coverage of the recent attacks does not appear to have influenced the rate at which users patch their devices.