Reports from security researchers Kevin Beaumont and Marcus Hutchins have shed light on the recent BlueKeep attacks that installed cryptocurrency miners on compromised devices. In early November, Beaumont noticed that his honeypots, which were set up to detect and monitor BlueKeep attacks, kept crashing. A probe into the source of the crashes confirmed that it was caused by the BlueKeep exploit module for the Metasploit penetration testing framework. These blue screen of death (BSOD) crashes in the honeypots were actually the issues that helped Beaumont discover the real-world attacks.
Investigating these events, Microsoft found connections between attacks from late October and a campaign from last September — the attacks were likely deployed by the same group. This prompted concern and warnings of more incoming attacks. BlueKeep is a known remote code execution vulnerability affecting Remote Desktop Protocol (RDP) services on Windows 7, Windows Server 2008, and Windows Server 2008 R2. It was patched by Microsoft in May. Microsoft has consistently urged administrators to patch their RDP services to help defend against exploits of this vulnerability.
Cause and repair of BlueKeep crashes
As mentioned above, Beaumont’s BlueKeep honeypots were crashing and rebooting. The exploit kept triggering BSOD crashes, signaling its instability. Further investigation from Microsoft revealed that the BlueKeep exploit attempts “involved human operators aiming to penetrate networks,” meaning that the malware is not a self-propagating worm. The ‘wormability’ issue was one that researchers were concerned about when the BlueKeep exploit was first released in September. Microsoft posits that attackers are likely using manual port scans to find vulnerable machines.
According to security researcher Sean Dillon, the BSOD was triggered because the exploit was not compatible with the patches Microsoft issued for the Meltdown Intel CPU vulnerability. However, there are plans to update the BlueKeep Metasploit exploit to support kernels patched for Meltdown. Unfortunately, this means that attackers will have a better chance of compromising vulnerable systems — they can rely on a more stable exploit, made less obvious because it will not cause the BSOD.
Security issues and recommendations
Wormability is not the most pressing concern when it comes to BlueKeep, as highlighted by Hutchins; the real concern is the possibility of servers being compromised. Most devices vulnerable to BlueKeep are actually servers, and a compromised server makes it easy for attackers to pivot and spread internally within a network. He points out that Windows servers usually control other devices on the network, they are either domain admin, have network management tools installed, or share the same local admin credentials with the rest of the network.
Regrettably, even with reports of active exploits for BlueKeep hitting honeypots, system administrators remained unmotivated to patch. Researchers in the SANS Institute have been tracking the rate of patching through Shodan and have noticed a downward slope in the rate of patching since May. The recent media reports of attacks did nothing to change the trajectory.
Here are some best practices that can help users and enterprises reduce their exposure to threats that may exploit BlueKeep:
Patch and keep the system and its applications updated (or employ virtual patching to legacy or end-of-life systems).
Restrict or secure the use of remote desktop services. For example, blocking port 3389 (or disabling it when not in use), can help thwart threats from initiating connections to systems behind the firewall.
Enable network level authentication (NLA) to prevent unauthenticated attackers from exploiting BlueKeep. This can be configured in Windows 7 and Windows Server 2008 (including the R2 version).
Enforce the principle of least privilege. Employing security mechanisms like encryption, lockout policies, and other permission- or role-based access controls provide additional layers of security against attacks or threats that involve compromising remote desktops.