“Point and shoot” BlueKeep exploit presages WannaCry-like malware outbreak

It’s only a matter of time as cybercriminals tweak publicly available exploit code into devastating cyber attack

The recent public release of a BlueKeep Windows exploit has given cybercriminals a “point and shoot” tool for system takeover that, a security researcher has warned, should have CSOs bracing for a repeat of WannaCry – or worse.

Rapid7 project Metasploit’s decision to release an exploit for BlueKeep – a Remote Desktop Protocol (RDP) vulnerability considered so dangerous that Microsoft took the unusual step of releasing an out-of-band patch for otherwise unsupported Windows XP systems – was explained away as being a “critical” resource to help defenders plan their defences against the exploit.

BlueKeep has been classified as ‘wormable’, meaning that it can propagate from just one infected system to infect an entire network of connected devices.

Yet despite the industry’s concerns, many businesses are likely to find themselves vulnerable to the exploit without fully comprehending just how serious it is, Check Point Software Technologies cyber security evangelist Ashwin Ram told CSO Australia.

“We have so many exploits that it just becomes noise for most businesses,” he said. “But this one is quite dangerous. We are having these conversations day in and day out with many organisations, and at the boardroom level it’s just not being taken that seriously.”

Despite years spent trying to educate businesses about the changing nature of cybersecurity threats, many businesses still considered it to be something best addressed by buying a discrete security product and then leaving it alone for the long term.

“Many businesses still look at security infrastructure the same way they look at network infrastructure,” Ram explained. “They put in a router or a switch, and most businesses think they’re good to go for 5 to 10 years.”

“They simply don’t understand that the threat landscape changes very rapidly – and that to be able to address or negate the threat landscape, they must be able to have an environment that is also kept up to date.”

The Australian Signals Directorate joined comparable overseas agencies in warning businesses to take BlueKeep especially seriously, warning systems administrators that they should “immediately” patch the bug to protect against the inevitable surge of interest generated by the Metasploit release – as evidenced by an observed “uptick in malicious RDP activity” since the exploit was released.

While BlueKeep affects a number of operating sytems including Windows XP, Vista, and 2008 Server, Microsoft recently patched similar vulnerabilities affecting Windows 10 and several other flavours of the ubiquitous operating system.

Widespread availability of the BlueKeep exploit, which enables execution of any arbitrary code on a compromised system, means that cybercriminals could use BlueKeep to plant any sort of malicious code they desire – and spread it through a target network in an instant.

Protecting against this level of threat was a key factor in Metasploit’s decision to release the code, since researchers will also be able to benefit from knowing what to expect. Security firms like Check Point upgraded their tools to be able to detect BlueKeep months ago, but security practitioners needed to be aware that the exploit’s inherent flexibility meant that even technological protections weren’t the be-all and end-all.

“Penetration testers and security researchers can use this exploit to, at the very least, test their defence systems,” he said, “so they can be prepared in the event that an attack has been launched.”

“And if you can’t patch every system, at the very least make sure you have virtual patching – something at the network level that can prevent those threats from coming in. All you need is for one machine to be compromised somewhere for an attacker to laterally move in your organisation and wreak havoc.”

That included the potential for BlueKeep infections to spread across virtualised cloud environments, where many businesses are still trying to get their security defences up to speed; a wormable exploit could therefore spread between cloud-based Windows servers without throwing up the same signals that might be picked up on the local network.

To head off such potential issues, companies need to make sure they keep their threat-prevention systems updated and “have a security strategy that focuses on prevention,” Ram said, noting that an effective incident response is equally important.

“Many businesses still don’t have any way of figuring out what the attack was, how it got into the network, what business impact it has, and what data was exfiltrated,” he said. “Even in places where they have an incident response plan, it has often never been put to the test.”

Although a massive BlueKeep outbreak is yet to be launched, its looming potential for disruption makes it an ongoing threat heading into the critical pre-Christmas shopping season, when cybercriminals are likely to increase their search for credit cards and other valuable personal information.

“All cybercriminals have to do is point and shoot,” he said. “It’s only a matter of time.”