{"id":11766,"date":"2019-11-04T11:22:55","date_gmt":"2019-11-04T10:22:55","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=11766"},"modified":"2020-01-23T12:35:57","modified_gmt":"2020-01-23T11:35:57","slug":"windows-first-bluekeep-metasploit-in-the-wild","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2019\/11\/04\/windows-first-bluekeep-metasploit-in-the-wild\/","title":{"rendered":"Windows: first BlueKeep Metasploit in the wild"},"content":{"rendered":"<p><img loading=\"lazy\" decoding=\"async\" style=\"float: left; margin: 0px 10px 0px 0px; display: inline;\" src=\"https:\/\/www.borncity.com\/blog\/wp-content\/uploads\/2015\/01\/Schutz.jpg\" width=\"40\" height=\"47\" align=\"left\" \/>[<a href=\"https:\/\/www.borncity.com\/blog\/2019\/11\/04\/windows-erste-bluekeep-angriffe-gesichtet\/\" target=\"_blank\" rel=\"noopener noreferrer\">English<\/a>]Security researchers have now probably seen for the first time a meta sploit on the net that wants to exploit the BlueKeep vulnerability and tries to install Crypto-Miner. At the moment, however, this exploit still ends with BlueScreens.<\/p>\n<p><!--more--><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/vg07.met.vgwort.de\/na\/d261d15e85034c0eb176ec5f83d01557\" alt=\"\" width=\"1\" height=\"1\" \/>The BlueKeep vulnerability in the Windows RDP service threatens unpatched systems from Windows XP to Windows 7 and their server counterparts. I had been warning about the BlueKeep vulnerability for months (see <a href=\"https:\/\/borncity.com\/win\/2019\/07\/23\/bluekeep-warning-exploit-might-come-soon\/\">BlueKeep warning: Exploit might come soon?<\/a>). It seems, however, that the BlueKeep vulnerability is difficult to exploit in practice. This is the only way to explain that this issue has been quite quiet so far, although there is a publicly available metasploit (see <a href=\"https:\/\/borncity.com\/win\/2019\/09\/07\/windows-bluekeep-metasploit-ffentlich-verfgbar\/\">Windows: Bluekeep Metasploit released in the wild<\/a>). But that could change now.<\/p>\n<h2>RDP HoneyPots suddenly crashes with BlueScreens<\/h2>\n<p>I had already seen it at the weekend, but only now am I able to prepare something for it. Security researcher Kevin Beaumont had set up a worldwide network of honeypots for the RDP vulnerability after the BlueKeep vulnerability became known and the first exploits became available. On Saturday Beaumont reported that its EternalBlue RDP honeypot suddenly showed BlueScreens.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p dir=\"ltr\" lang=\"en\">huh, the EternalPot RDP honeypots have all started BSOD'ing recently. They only expose port 3389. <a href=\"https:\/\/t.co\/VdiKoqAwkr\">pic.twitter.com\/VdiKoqAwkr<\/a><\/p>\n<p>\u2014 Kevin Beaumont (@GossiTheDog) <a href=\"https:\/\/twitter.com\/GossiTheDog\/status\/1190654984553205761?ref_src=twsrc%5Etfw\">November 2, 2019<\/a><\/p><\/blockquote>\n<p><span id=\"preserve9e633d8956e3443b985afa94bab52c35\" class=\"wlWriterPreserve\"><script src=\"https:\/\/platform.twitter.com\/widgets.js\" async=\"\" charset=\"utf-8\"><\/script><\/span><\/p>\n<p>Specifically, the first BluesScreen with a restart start of the underlying Windows system already appeared on 23 October 2019. In the last weeks there were these BlueScreens at further Honeypots. The suspicion was that someone was trying to exploit the BlueKeep vulnerability. In another tweet, however, it quickly became clear that it was probably not a worm that had attacked the honeypot. According to Beaumont, there were probably only BlueScreens at various honeypots. Here is a post from him:<\/p>\n<blockquote class=\"twitter-tweet\">\n<p dir=\"ltr\" lang=\"en\">imma retrieving the crash logs to see if anything interesting <a href=\"https:\/\/t.co\/sEoMV37RG7\">pic.twitter.com\/sEoMV37RG7<\/a><\/p>\n<p>\u2014 Kevin Beaumont (@GossiTheDog) <a href=\"https:\/\/twitter.com\/GossiTheDog\/status\/1190658692145983488?ref_src=twsrc%5Etfw\">November 2, 2019<\/a><\/p><\/blockquote>\n<p><span id=\"preserve4e6895520f204156850cf16dc3d06a8b\" class=\"wlWriterPreserve\"><script src=\"https:\/\/platform.twitter.com\/widgets.js\" async=\"\" charset=\"utf-8\"><\/script><\/span><\/p>\n<p>On November 2, 2019 he received his bill for the booked Microsoft Azure services and looked at the details of the Azure Sentinel for log analysis.<\/p>\n<p><a href=\"https:\/\/miro.medium.com\/max\/1587\/1*2zjaTlwwX4TaZ64LILRKcw.png\" target=\"_blank\" rel=\"noopener noreferrer\"><img loading=\"lazy\" decoding=\"async\" title=\"Azure Sentinel\" src=\"https:\/\/miro.medium.com\/max\/1587\/1*2zjaTlwwX4TaZ64LILRKcw.png\" alt=\"Azure Sentinel\" width=\"630\" height=\"285\" \/><\/a><br \/>\n(Azure Sentinel, Source: Kevin Beaumont)<\/p>\n<p>Since 22\/23 October, problems (BSOD) have probably occurred with the affected azure instances. Then safety researchers looked at the crash dump of the BlueScreens &#8211; an analysis can be <a href=\"https:\/\/www.kryptoslogic.com\/blog\/2019\/11\/bluekeep-cve-2019-0708-exploitation-spotted-in-the-wild\/\" target=\"_blank\" rel=\"noopener noreferrer\">found here<\/a>. MalwareTech security researchers confirmed that the kernel dump contained traces of a metasploit exploiting the BlueKeep vulnerability (or at least something based on it). It is probably an attempt to install a crypto-miner on Windows machines via the vulnerability. Beaumont has published now a <a href=\"https:\/\/doublepulsar.com\/bluekeep-exploitation-activity-seen-in-the-wild-bd6ee6e599a6\" target=\"_blank\" rel=\"noopener noreferrer\">writeup<\/a>.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p dir=\"ltr\" lang=\"en\">Here's a writeup of the BlueKeep exploitation activity investigated this weekend <a href=\"https:\/\/t.co\/q1ne8uuyai\">https:\/\/t.co\/q1ne8uuyai<\/a><\/p>\n<p>\u2014 Kevin Beaumont (@GossiTheDog) <a href=\"https:\/\/twitter.com\/GossiTheDog\/status\/1190967736593240065?ref_src=twsrc%5Etfw\">November 3, 2019<\/a><\/p><\/blockquote>\n<p><span id=\"preserve5bfa1486983347469eee72521f113e84\" class=\"wlWriterPreserve\"><script src=\"https:\/\/platform.twitter.com\/widgets.js\" async=\"\" charset=\"utf-8\"><\/script><\/span><\/p>\n<p>At present, the impact is still limited: It's not a worm that spreads itself, and the approach of putting a crypto-miner on the machines is unattractive, but not a major threat. But the conclusion from these attacks is that there are people who now understand how to attack random targets using BlueKeep vulnerabilities. There's a good chance the attacks will become more sophisticated soon. More articles can be found at <a href=\"https:\/\/www.wired.com\/story\/bluekeep-hacking-cryptocurrency-mining\/\" target=\"_blank\" rel=\"noopener noreferrer\">Wired<\/a>, <a href=\"https:\/\/thehackernews.com\/2019\/11\/bluekeep-rdp-vulnerability.html\" target=\"_blank\" rel=\"noopener noreferrer\">The Hacker News<\/a> or <a href=\"https:\/\/thehackernews.com\/2019\/11\/bluekeep-rdp-vulnerability.html\" target=\"_blank\" rel=\"noopener noreferrer\">ZDNet<\/a>.<\/p>\n<h2>Background: BlueKeep vulnerability<\/h2>\n<p>I had reported about the BlueKeep vulnerability CVE-2019-0708 in several blog posts. An explanation of the vulnerabilities can be found in the blog post Security <a href=\"https:\/\/borncity.com\/win\/2019\/05\/15\/critical-update-for-windows-xp-up-to-windows-7-may-2019\/\">Critical update for Windows XP up to Windows 7 (May 2019)<\/a>.<\/p>\n<p>There is a patch, but it has not been installed on all systems. It is currently estimated that approximately 800,000 systems are still unpatched and accessible via the Internet (see <a href=\"https:\/\/borncity.com\/win\/2019\/07\/22\/windows-wie-stehts-um-die-bluekeep-schwachstelle-im-juli-2019\/\">Windows: What about the BlueKeep vulnerability in July 2019?<\/a> ).\u00a0In my blog post <a href=\"https:\/\/borncity.com\/win\/2019\/06\/06\/how-to-bluekeep-check-for-windows\/\">How To: BlueKeep-Check for Windows<\/a>, I explained how a system can be scanned both locally for installed patches and in a network for vulnerabilities.<\/p>\n<blockquote><p>Addendum: An analysis, how the hacker are using the vulnerability may be found here (deleted).<\/p><\/blockquote>\n<p><strong>Similar articles<br \/>\n<\/strong><a href=\"https:\/\/borncity.com\/win\/2019\/05\/28\/angreifer-scannen-windows-systeme-auf-bluekeep-lcke\/\">A threat actor scans Windows systems for BlueKeep vulnerability<\/a><br \/>\n<a href=\"https:\/\/borncity.com\/win\/2019\/05\/21\/bluekeep-watch-the-windows-remote-desktop-services-vulnerability\/\">BlueKeep: Windows Remote Desktop Services vulnerability exploits status<\/a><br \/>\n<a href=\"https:\/\/borncity.com\/win\/2019\/05\/15\/critical-update-for-windows-xp-up-to-windows-7-may-2019\/\">Critical update for Windows XP up to Windows 7 (May 2019)<\/a><br \/>\n<a href=\"https:\/\/borncity.com\/win\/2019\/05\/29\/nearly-1-million-windows-machines-with-bluekeep-vulnerability\/\">Nearly 1 million Windows machines with BlueKeep vulnerability<\/a><br \/>\n<a href=\"https:\/\/borncity.com\/win\/2019\/06\/01\/bluekeep-vulnerability-microsoft-warns-about-a-wormable-malware-epedemia\/\">BlueKeep vulnerability: Microsoft warns about a wormable malware epedemia<\/a><br \/>\n<a href=\"https:\/\/borncity.com\/win\/2019\/06\/03\/bluekeep-patch-for-pirated-copies-ssl-tunnel-as-a-risk-factor\/\">BlueKeep: Patch for pirated copies; SSL tunnel as a risk factor<\/a><br \/>\n<a href=\"https:\/\/borncity.com\/win\/2019\/09\/07\/windows-bluekeep-metasploit-ffentlich-verfgbar\/\">Windows: Bluekeep Metasploit released in the wild<\/a><br \/>\n<a href=\"https:\/\/borncity.com\/win\/2019\/07\/23\/bluekeep-warning-exploit-might-come-soon\/\">BlueKeep warning: Exploit might come soon?<\/a><br \/>\n<a href=\"https:\/\/borncity.com\/win\/2019\/06\/06\/how-to-bluekeep-check-for-windows\/\">How To: BlueKeep-Check for Windows<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>[English]Security researchers have now probably seen for the first time a meta sploit on the net that wants to exploit the BlueKeep vulnerability and tries to install Crypto-Miner. At the moment, however, this exploit still ends with BlueScreens.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[580,2],"tags":[1965,69,194],"class_list":["post-11766","post","type-post","status-publish","format-standard","hentry","category-security","category-windows","tag-bluekeep","tag-security","tag-windows"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/11766","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=11766"}],"version-history":[{"count":0,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/11766\/revisions"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=11766"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=11766"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=11766"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}