Critical Windows Warning Gets Real As Wormable Exploit Weaponized
On May 14, Microsoft released fixes for a critical Windows remote code execution vulnerability that was “wormable” and highly dangerous if ever exploited. Two weeks later, Microsoft got down on a virtual bended knee to remind at least a million users that they still needed to update their Windows systems. The following week, the National Security Agency (NSA) took the unusual step of jumping in and warning Windows users to update or risk a “devastating” and “wide-ranging impact.” And then, on June 18, the U.S. Government joined the fray by way of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) issuing a critical update warning. At the heart of all this was the BlueKeep vulnerability that existed in Windows 2003, XP, Vista 7, Server 2008 R2 and Server 2008. The saving grace was, at the time, that the only exploits known were proof of concept ones safely in research lab environments which caused little more damage than blue-screening an infected system. That has now changed as BlueKeep is both weaponized and in the wild.
How has the BlueKeep worm been weaponized?
Rapid7, a cybersecurity vendor best known for the open-source Metasploit penetration testing framework that is used by security researchers and, unfortunately, cyber-criminals alike, has just released a BlueKeep exploit module. The module, which currently targets the 64-bit versions of Windows 7 and Windows Server 2008 R2, is the first to become a public BlueKeep exploit that anyone can download and use. One of the developers of the Metasploit BlueKeep exploit told BleepingComputer that “all of the information required for exploitation has already leaked out in weeks past and at least a dozen privately held exploits have been announced.” Although there has been plenty of proof-of-concept BlueKeep exploits uploaded to GitHub already, this is the first that has been weaponized; it can attain the code execution needed for the worm to spread. The “good” news is that it only works in a manual mode, meaning the worm cannot replicate automatically.
Get started on your cybersecurity degree at American Military University.
The bad news is that despite this, and in the wrong hands, it could still be used to infect a network albeit in a time consuming, hands-on, manner. Given that there are still thought to be more than half a million internet-facing vulnerable servers out there, and likely millions more behind the corporate network firewall, you can see the criminal attraction. Throw in that threat actors will potentially have the skillset to find ways for the app to be fully automated, given enough time, and those critical warnings from earlier in the year seem much more urgent now.
How can you mitigate against the BlueKeep exploit?
I know you are not going to like me for saying this, but the answer comes in just three words: update, update, update. Microsoft issued the patch way back on May 14, and you can find the full details in the update guide published at the time. “The broader security community has emphasized the importance and urgency of patching,” Brent Cook, engineering manager for the Rapid7 Metasploit framework, said, “we echo this advice.”