BlueKeep Panic as RCE RDP Exploit Floods the Net

BlueKeep, a nasty vulnerability in RDP, by now should have been patched everywhere. Sadly, back in the real world, hundreds of thousands of unpatched hosts are connected to the internet.

RDP—Microsoft’s Remote Desktop Protocol—is now coming under attack from hackers who are trying to spread cryptomining malware. The vulnerability is remote-code exploitable, so this is a worrying development (albeit expected).

RDP was, of course, designed in a kinder, gentler age. And it should never be naked on the net without some serious firewallage. In today’s SB Blogwatch, we fire up Shodan.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: LA:11/19.

Exploit is Coming

What’s the craic? Graham Cluley clues us in—“After months of worry, BlueKeep vulnerability is now being exploited”:

 British researcher Kevin Beaumont raised the alarm this weekend, after discovering that BlueKeep honeypots he had set up … began to crash and reboot. … The good news is that the current attack appears to be flawed – crashing the computers it is attempting to infect rather than successfully installing the hackers’ code.

The NCSC, part of UK’s GCHQ, had privately reported the vulnerability to Microsoft in the first place, warned that BlueKeep “poses a serious threat” and recommended that organisations and individuals apply their security patches as soon as possible, fearing a re-run of the WannaCry ransomware outbreak. … Make sure your computers, including your old legacy computers, are up-to-date with security patches.

And Andy Greenberg says in large, friendly letters, “Don’t Panic”:

 When Microsoft revealed last May that millions of Windows devices had a serious hackable flaw known as BlueKeep … it seemed only a matter of time before someone unleashed a global attack. … So-called honeypots—bait machines designed to help detect and analyze malware outbreaks—are being compromised en masse.

The bug in [RDP] allows a hacker to gain full remote code execution. … It has potentially devastating consequences. [But] this current wave … appears to be far from the RDP pandemic that many feared.

But the threat BlueKeep poses to hundreds of thousands of Windows machines hasn’t passed just yet. About 735,000 Windows computers remained vulnerable to BlueKeep according to one internet-wide scan … in August.

Sounds bad. Kevin Beaumont summarizes—“BlueKeep exploitation activity seen in the wild”:

 CVE-2019–0708, a Remote Desktop vulnerability I nicknamed BlueKeep — as exploitation would likely cause ‘blue screen of death’ … and a worm would lead to the Game of Thrones ‘Red Keep’ moment. … I built a worldwide honeypot network to spot exploitation, which I called BluePot. [It] was built using Azure Sentinel with Microsoft Sysmon.

On October 23rd — one of the BlueKeep honeypots crashed and rebooted. Over the following weeks, all [but one] of the honeypots crashed and rebooted … normally several times a day. This has been going on for weeks now.

It is clear people now understand how to execute attacks on random targets, and they are starting to do it. This activity doesn’t cause me to worry, but it does cause my spider sense to say ‘this will get worse, later.’

If somebody makes a reliable worm for this vulnerability … expect global consequences. … You can use services like and to find still exploitable systems in your internet accessible IP ranges.

How does it work? Marcus Hutchins unpicks the exploit and payload:

 During BlueKeep exploitation, the MS_T120 channel struct is freed, leaving a dangling pointer. … As anticipated, the allocation is a valid channel structure for the exploitable MS_T120 channel.

If this is a BlueKeep exploit, we should find that dereferencing the address fffffa80`08807048 will lead to the payload or exploit shellcode. … We can assert valid BlueKeep exploit attempts in the wild, with shellcode that even matches that of the shellcode in the BlueKeep metasploit module. … The second part of the shellcode also matches that from the BlueKeep metasploit module.

The payload is easily visible at the end of shellcode. It’s an encoded PowerShell command … to download another PowerShell command from the attacker’s server. … Eventually we arrive at the command which downloads and executes an actual executable binary [which] is known to VirusTotal as a cryptocurrency miner.

Sounds complicated. IronStarCTS is impressed:

 The exploit itself is quite tricky to write (there’s serious kernel heapspraying stuff involved … meaning it’s highly specific to windows version & arch and will crash systems that don’t match), but someone published a metasploit module so probably easy for [script kiddies] to go wild.

Sounds like the crashes are from someone spray-n-praying the entire internet with only one version and just crashing all the systems that don’t match.

Oh c’mon. Windows patches have been available for months! But Torodung calls BS:

 You think people who are still using XP follow security blogs or subscribe to CERT? … No way. Even a hospital’s IT department doesn’t know what to do with that **** other than air gap it.

And known_hosts is horrified:

 Full remote code execution is pretty much worst case scenario, because they can literally execute any code they want. So who cares if the only use we know of so far is used for keyloggers and ransomware?

But roc97007 makes us even more depressed:

 Keep in mind that Windows 98 … (which is now old enough to drink) still exists in the wild today in embedded systems. You ever wonder why those soda can recycling machines work so *****y?

But what of victims who have patched? AdHocSysAdmin shares their findings:

 Looking in the Security eventlog … I notice a massive amount of audit failures. Notable here is the originating workstation name frequently is “Remmina” (linux rdp client) or “Freerdp”. In one series of logon failures, there was an originating IP, which (seemingly) is Ukraine based.

Account names used are “Administrator, “admin”, “administrateur”, “administrador” and similar common accounts. My guess is, there’s a wave of RDP hacking attempts going on, which overloads the [terminal server], preventing genuine users to login.

I guess we got attacked by BlueKeep.

Meanwhile—well, back on May 21—Erick Galinkin predicted this would happen:

 May 21 2019: “The vulnerability is wormable. Patch your ****.”

October-ish 2019: Ransomware worm using CVE-2019-0708 comes out.

Hundreds of companies the day after: *surprised pikachu face*

And Finally:

Blade Runner intro but actually Los Angeles, November 2019

Hat tip: Rob Beschizza

Previously in And Finally

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites… so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: HBO

Richi Jennings

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 615 posts and counting.See all posts by richi

Secure Coding Practices