Microsoft patched a critical Windows Remote Desktop vulnerability last week and the risks of attacks in the wild have since grown as multiple researchers have created proof-of-concept exploits.
The Windows RDP flaw, dubbed "BlueKeep" by British security researcher Kevin Beaumont, gained notoriety because when Microsoft patched it, Simon Pope, Microsoft Security Response Center director of incident response, wrote in an advisory that malware exploiting the vulnerability could spread in the same worm-like fashion as WannaCry because an exploit would require no user interaction. Microsoft even took the rare step -- as it did with WannaCry -- to release patches for otherwise unsupported Windows XP and Server 2003 systems.
Since the BlueKeep patch was released on May 14, Beaumont has tracked the progress of security researchers. Although fake proof of concept (PoC) exploits were uploaded to GitHub almost instantly, it wasn't until the 19th that working denial-of-service exploits were created by McAfee and Zerodium, followed by Kaspersky Labs researcher Boris Larkin on the 20th.
Kaspersky/@oct0xor got Blue Screen with #BlueKeep. The GIF is authentic. Three different researchers at different companies have reached this stage so far. Note this in itself does not allow code execution. pic.twitter.com/EqppV2Xb8D— Kevin Beaumont (@GossiTheDog) May 20, 2019
On May 21, McAfee researchers described a BlueKeep PoC exploit it created capable of remote code execution (RCE), but did not release the code under concern that it would "not be responsible and may further the interests of malicious adversaries."
"With our investigation we can confirm that the exploit is working and that it is possible to remotely execute code on a vulnerable system without authentication. Network Level Authentication should be effective to stop this exploit if enabled; however, if an attacker has credentials, they will bypass this step," McAfee researchers wrote in a blog post. "We are urging those with unpatched and affected systems to apply the patch for CVE-2019-0708 as soon as possible. It is extremely likely malicious actors have weaponized this bug and exploitation attempts will likely be observed in the wild in the very near future."
Beaumont said on Twitter that McAfee, Zerodium and Qihoo 360 all have RCE BlueKeep PoC exploits -- though they have only been demoed and no PoC code has been released -- but he noted that Qihoo 360 security researcher Zheng Wenbin, known as MJ0011, was a step ahead because that RCE exploit could run on Windows 7. Earlier today, Wenbin showed off a stable RCE demo running on Windows 7 x64.
As yet, no BlueKeep attacks have been seen in the wild, but researchers at Proofpoint have seen low levels of scanning activity looking for vulnerable systems.
"We have started to observe BlueKeep CVE-2019-0708 scanning activity, likely due to the public release of a scanner and/or Qihoo360's CERT tool going live. Beginning (roughly) around May 22nd, 2pm UTC-7. Nothing to be majorly concerned about right now, volume is incredibly low," Proofpoint researcher sudosev tweeted. "Since volume is so low, I wouldn't be surprised if this is scanner testing as opposed to somebody genuinely mass hunting for vulnerable servers, don't get into a panic over this."