BlueKeep Vulnerability Has Been Weaponized

If you thought we wouldn’t be hearing about the BlueKeep vulnerability again, you were wrong. Six months after the exploit was revealed to the world, researchers are reporting that self-replicating malware taking advantage of unpatched Windows machines is being seen in the wild. Specifically, researcher Kevin Beamont is reporting his multipleEternalBlue RDP honeypots setup specifically to catch these exploit attempts are starting to crash due to a BlueKeep worm.

huh, the EternalPot RDP honeypots have all started BSOD'ing recently. They only expose port 3389.— Kevin Beaumont (@GossiTheDog) November 2, 2019

These honeypots revealed encoded Windows PowerShell commands being delivered, downloaded and executed by the worm. From there, another payload executes a Monero crytpo-currency miner and continues to spread laterally, repeating throughout the connected machines that have not been patched.

While the payload itself is not as immediately damaging as the WannaCry malware campaign, crypto-currency miners wreak havoc on infrastructure by eating up valuable resources of the endpoint and network traffic while physically wearing out machines and using more external resources such as electricity.

According to Marcus Hutchins, who assisted Kevin in the research of the honeypot information, there are over 724,000 endpoints still connected to the internet that have not been patched against BlueKeep and this RDP vulnerability.

If you have machines that you are unable to update with the provided Microsoft patches to protect against this vulnerability, check out this guide to disable RDP which will help protect your legacy Windows endpoints from being the point of entry into your network.

For more in depth information on the exploit, check out Kevin Beaumont’s blog here.

For deep analysis of the payload, check our Marcus Hutchins’ blog here.

What We Recommend

As with all potentially harmful vulnerabilities, the key to minimizing your exposure is to present a smaller, more difficult target to hit. We are urging all organizations to take inventory of their legacy Windows XP and Windows 7 devices and ensure the available patch is applied.

For additional information on how to manage these patch updates in the Automox console, check out our recent blog on how to manage legacy Windows OS updates. We also offer instruction on how to deploy an emergency patch to update Windows XP via a custom policy in Automox.

About Automox

Facing growing threats and a rapidly expanding attack surface, understaffed and alert-fatigued organizations need more efficient ways to eliminate their exposure to vulnerabilities. Automox is a modern cyber hygiene platform that closes the aperture of attack by more than 80% with just half the effort of traditional solutions.

Cloud-native and globally available, Automox enforces OS & third-party patch management, security configurations, and custom scripting across Windows, Mac, and Linux from a single intuitive console. IT and SecOps can quickly gain control and share visibility of on-prem, remote and virtual endpoints without the need to deploy costly infrastructure.

Experience modern, cloud-native patch management today with a 15-day free trial of Automox and start recapturing more than half the time you're currently spending on managing your attack surface. Automox dramatically reduces corporate risk while raising operational efficiency to deliver best-in-class security outcomes, faster and with fewer resources.