Currently, the only publicly available exploit for the BlueKeep vulnerability is the Metasploit module, introduced by developers in September this year. The code for this exploit is based on the proof-of-concept of RiskSense specialist Sean Dillon. Although the exploit for BlueKeep generally works, it has a significant drawback: it can provoke the occurrence of BSOD in some systems, and not provide the attacker with a remote shell.
Kevin Beaumont, a well-known British specialist, noticed this problem while studying a recent malicious campaign using BlueKeep.
Thus, attacks by unknown hackers disabled 10 of the 11 “baits” of the researcher, forcing them to crash and causing the arrival of BSOD.
As it was reported now, the developers of the BlueKeep module for Metasploit intend to fix this error at the end of this week.
Read also: BlueKeep Attack Warnings Didn’t Affect Users
ZDNet reports that, according to Dillon, the main cause of BSOD was a patch for processor vulnerability Meltdown, previously released by Microsoft. To avoid this unpleasant feature, the developers decided to slightly adjust the exploit at an early stage so that they did not have to create a full-fledged workaround.
“Side effects of the Meltdown patch inadvertently breaks the syscall hooking kernel payloads used in exploits such as EternalBlue and BlueKeep. Here is a horribly hacky way to get around it…”, — writes Sean Dillon.
The technical details of the problem and its workaround are available on Dillon’s blog.
Unfortunately, for ordinary users, a more reliable exploit for the BlueKeep problem is unlikely to be good news. The fact is that, according to BinaryEdge, the network still has more than 700,000 vulnerable Windows-systems (not counting those that are located inside private networks, behind firewalls), and there is no patches on them. Even if Microsoft experts are mistake, and overestimate threat of self-spreading worms that use BlueKeep to deliver ransomware and other malware, attackers can still effectively use the vulnerability.
“The majority of BlueKeep device vulnerabilities are servers. However, in general, Windows servers have the ability to control devices on the network. They are either domain administrators, or they have network management tools installed, or they have the same local administrator credentials as the rest of the network. Having compromised a network server, it is incredibly easy to use automated tools for internal attacks (for example, the server extends ransomware to every system on the network)” – says British expert Marcus “MalwareTech” Hutchinson, who is known for stopping the WannaCry epidemic.
The real risk from BlueKeep is not a worm. The worm is useless and too noisy. Once an attacker penetrates the network, he can do much more damage using standard automated tools, rather than BlueKeep. It’s time for people to stop worrying about worms and start worrying about basic network security. Protect your servers from the Internet and mind credential hygiene. Worms appear occasionally, while entire networks are compromised daily because of standard tools.
User Review
( votes)
